b'                                                       Appendix III\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous\nMonitoring Program\n\n\n\n\n                                                          August 11, 2011\n                                                          Report No. 497\n\n\n\nAssessment and Review Conducted by C5i Federal, Inc.\n\n                             REDACTED PUBLIC VERSION\n\x0c                                              UNITED STATES\n\n                            SECURITIES AND EXCHANGE COMMISSION\n\n                                         WASHINGTON, D.C.    20549\n\n\n    O,.,.,C" 0,.\n\n\n                                      MEMORANDUM\n, ..SPECTOR <;E"ER4L\n\n\n\n\n                                             August 11, 2011\n\n\n\n            To:           Thomas Bayer, Chief Information Officer, Office of Information\n                           Technology (OIT)\n                         Jayne L. Seidman, Acting Associate Chief Operating Officer, Office\n                           of Administrative Services (OAS)\n                          Cristin Fair, Acting Associate Executive Director, Office of Human\n                            Resources (OHR)\n\n            From:         H. David Katz, Inspector General, Office of Inspector General (OIG     I/;)1.. --\n            Subject:     Assessment of SEC\'s Continuous Monitoring Program,\n                         Report No. 497\n\n\n            This memorandum transmits the U.S. Securities and Exchange Commission\n            OIG\'s final report detailing the results on our review of the Commission\'s\n            continuous monitoring program. This review was conducted as part of our\n            continuous effort to assess management of the Commission\'s programs and\n            operations and as a part of our annual audit plan.\n\n\n            The final report contains 13 recommendations which if fully implemented will\n            strengthen OIT\'s continuous monitoring program. We are pleased OIT concurred\n            with the 12 recommendations addressed to its office, OAS concurred with the 3\n            recommendations addressed to its office, and OHR concurred with the\n            recommendation addressed to its office. Your written responses to the draft\n            report are included in Appendix VII.\n\n\n            Within the next 45 days, please provide the OIG with a written corrective action\n            plan that is designed to address the recommendations. The corrective action\n            plan should include information such as the responsible official/point of contact,\n            timeframes for completing required actions, and milestones identifying how you\n            will address the recommendations.\n\n\n\n\n        Assessment of SEC\'s Continuous Monitoring Program                           August 11, 2011\n        Report No. 497\n                                                   Page ii\n                                      REDACTED PUBLIC VERSION\n\x0cShould you have any questions regarding this report, please do not hesitate to\ncontact me or Anthony Barnes at x15331. We appreciate the courtesy and\ncooperation that you and your staff extended to our staff and contractors during\nthis review.\n\nAttachment\n\ncc:    James R. Burns, Deputy Chief of Staff, Office of the Chairman\n       Luis A. Aguilar, Commissioner\n       Troy A. Paredes, Commissioner\n       Elisse B. Walter, Commissioner\n       Jeff Heslop, Chief Operating Officer, Executive Director, Office of Chief\n         of Operations\n       Todd Scharf, Chief Information Security Officer, Office of Information\n         Technology\n       Judith Blake, Acting Audit Liaison, Office of Administrative Services\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                    August 11, 2011\nReport No. 497\n                                        Page iii\n                            REDACTED PUBLIC VERSION\n\x0c             Assessment of SEC\xe2\x80\x99s Continuous\n                   Monitoring Program\n\n                               Executive Summary\nBackground. In August 2010, the U.S. Securities and Exchange Commission\n(SEC or Commission), Office of Inspector General (OIG), contracted with C5i\nFederal, Inc. (C5i) to assist with the completion and coordination of OIG\xe2\x80\x99s input to\nthe Office of Management and Budget (OMB) Memorandum M-10-15, fiscal year\n2010 Reporting Instructions for the Federal Information Security Management\nAct (FISMA) and Agency Privacy Management 1 and to perform two separate\nreviews\xe2\x80\x94one on the SEC\xe2\x80\x99s continuous monitoring program and the other on the\ninclusion of language addressing privacy act requirements in SEC contracts. 2\nSpecifically, this review was conducted to assess the Commission\xe2\x80\x99s continuous\nmonitoring program. C5i did not conduct detailed control tests because doing so\nwas not within the scope of its work.\n\nContinuous monitoring is the process of tracking the security state of an\ninformation system on an ongoing basis and maintaining the security\nauthorization for the system over time. Understanding the security state of\ninformation systems is essential in highly dynamic operating environments with\nchanging threats, vulnerabilities, technologies, and missions/business processes.\nContinuous monitoring includes, but is not limited to, the following components,\nwhich are specified in National Institute of Standards and Technology (NIST)\nSpecial Publication 800-53, Recommended Security Controls for Federal\nInformation Systems and Organizations (NIST 800-53): 3\n\n    \xe2\x80\xa2   Access Control\n    \xe2\x80\xa2   Awareness and Training\n    \xe2\x80\xa2   Audit and Accountability\n    \xe2\x80\xa2   Security Assessment and Authorization\n    \xe2\x80\xa2   Configuration Management\n    \xe2\x80\xa2   Contingency Planning\n    \xe2\x80\xa2   Identity and Authentication\n    \xe2\x80\xa2   Incident Response\n    \xe2\x80\xa2   Maintenance\n    \xe2\x80\xa2   Media Protection\n\n1\n  2010 Annual FISMA Executive Summary Report, Report No. 489 (Mar. 3 2011).\n2\n  Review of SEC Contracts for Inclusion of Language Addressing Privacy Act Requirements, Report No. 496\n3\n  National Institute of Standards and Technology (NIST), Recommended Security Controls for Federal\nInformation Systems and Organizations, Special Publication 800-53, Revision 3, Annex 3, pages 2-7,\nhttp://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf.\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                      August 11, 2011\nReport No. 497\n                                               Page iv\n                                 REDACTED PUBLIC VERSION\n\x0c      \xe2\x80\xa2   Physical and Environmental Protection\n      \xe2\x80\xa2   Planning\n      \xe2\x80\xa2   Personnel Security\n      \xe2\x80\xa2   Risk Assessment\n      \xe2\x80\xa2   System and Services Acquisition\n      \xe2\x80\xa2   System and Communications Protection\n      \xe2\x80\xa2   System and Information Integrity\n\nC5i used the guidance from NIST, OMB, and FISMA, and industry best practices\nin our review and to support our conclusions and recommendations.\n\nC5i reviewed the findings from previously issued OIG reports, conducted\ninterviews with SEC Office of Information Technology (OIT) staff, and reviewed\nsupport documentation and the Commission\xe2\x80\x99s policies and procedures. As\ndetailed in this report, we found the following additional areas need improvement:\n\n      \xe2\x80\xa2   Access Control\n      \xe2\x80\xa2   Audit and Accountability\n      \xe2\x80\xa2   Configuration Management\n      \xe2\x80\xa2   Contingency Planning\n      \xe2\x80\xa2   Identity and Authentication\n      \xe2\x80\xa2   Planning\n      \xe2\x80\xa2   System and Services Acquisition\n      \xe2\x80\xa2   System and Communications Protection\n      \xe2\x80\xa2   System and Information Integrity\n\nBecause of previous work C5i conducted on the OIG\xe2\x80\x99s annual FISMA reporting to\nOMB, 4 C5i was aware of areas where they should focus its assessment of the\nSEC\xe2\x80\x99s continuous monitoring program.\n\nObjectives. The overall objective was to review the SEC\xe2\x80\x99s continuous\nmonitoring program and further assess current policies and procedures and their\ncompliance with NIST, FISMA, and OMB guidance.\n\nResults. C5i\xe2\x80\x99s review consisted of conducting in-depth interviews with OIT staff\nwhose areas of responsibility included, but were not limited to, disaster\nrecovery/continuity of operations, account management (activation and\ntermination of user accounts), help desk, network operations (patching, software\nupdates, log management), and asset inventory. We conducted interviews from\nNovember 2010 to December 2010. During this timeframe, we also conducted\nfollow-up interviews with SEC employees to fully understand the Commission\xe2\x80\x99s\ncontinuous monitoring program. In addition, we reviewed documentation\nprovided to us such as the results of OIT\xe2\x80\x99s disaster recovery tests and asset\n4\n    2010 Annual FISMA Executive Summary Report, Report No. 489, March 3, 2011.\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                August 11, 2011\nReport No. 497\n                                               Page v\n                                  REDACTED PUBLIC VERSION\n\x0cinventory databases, and performed tests to verify whether OIT\xe2\x80\x99s documented\nprocedures were being followed for functions such as password resets.\nC5i met with staff from the OIT Server and Storage Group to fully understand\nhow the SEC\xe2\x80\x99s network servers are managed and monitored. These servers\ninclude                                                            which are the\nessential components that make up the SEC\xe2\x80\x99s network. We spoke with staff\nresponsible for the various servers to understand the configuration of new\nservers, the deployment of new servers on the SEC\xe2\x80\x99s network, the retiring of old\nequipment, the monitoring of activities on the servers (logs), backup procedures\nused to retain and store historical information in the event of a system failure,\nand the process to \xe2\x80\x9crebuild\xe2\x80\x9d network data. Our review found some areas of\nconcern in OIT\xe2\x80\x99s policies and procedures surrounding log management and\nretention, and backup retention.\n\nCurrently, the OIT Server and Storage Group captures and retains logs for its\nnetworks and systems but has no documented policies and procedures\npertaining to this function. Without fully defined and documented roles and\nresponsibilities and procedures detailing the types of logs to be captured and\nretained, we cannot fully determine whether the Commission is capturing system\nand network logs in a manner that would provide all the necessary information in\nthe event of a security event investigation.\n\nWe also reviewed the SEC\xe2\x80\x99s backup retention policies and procedures. We\nfound that the SEC performs               on critical files\n                 on every server.                                     and stored\nfor                        are then reused. We also found that OIT has\ndocumented policies and procedures outlining the roles and responsibilities for\nbacking up data. Although NIST does not specify a retention period for backup\ndata, industry best practices call for a     retention period. We are\nrecommending the Commission lengthen its retention period from\nand update its policies and procedures accordingly. During this review, we also\nfound that                        stored       in a         facility.\n\nAs part of our review of the backup policies and procedures at the Commission,\nC5i reviewed the Commission\xe2\x80\x99s disaster recovery plans and its most recent\nresults of the disaster recovery tests that were performed. As documented in the\n2010 FISMA assessment report, 5 the SEC has established and maintains an\nagency -wide continuity of operations plan (COOP) and disaster recovery\nprogram consistent with the requirements of NIST, FISMA, OMB and the\nprovisions of the February 2008 Federal Continuity Directive, 6 which state that\ncontinuity plans and programs should be developed and have well-documented\n\n\n5\n 2010 Annual FISMA Executive Summary Report, Report No. 489 (Mar. 3, 2011).\n6\n Federal Continuity Directive, Federal Executive Branch Continuity Program and Requirement (February\n2008).\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                     August 11, 2011\nReport No. 497\n                                              Page vi\n                                 REDACTED PUBLIC VERSION\n\x0cpolicies and procedures. 7 However, in reviewing the disaster recovery test\nresults, C5i found that not all the tests produced successful results. For\nexample, some applications exceeded the maximum allowable time to come\nback online, and communication and coordination was not as strong as needed.\nC5i did find there were improvements from the bi-annual April and November\ntests in 2010 to the retest performed in January 2011. However, we are still\nconcerned about the SEC\xe2\x80\x99s full failover and restore capabilities. Due to the\nissues encountered in the disaster recovery exercises, C5i is concerned that in\nthe event of a major disaster, a fully successful failover and recovery cannot be\ncompleted.\n\nDuring a previous assessment, 8 we found many issues with OIT\xe2\x80\x99s patching\npolicies and procedures, specifically, ineffective patch management. During this\nassessment, C5i found that the Commission had made great strides in improving\nthe deployment of patches to its systems and ensuring that the systems were up\nto date with current security remediation issued by vendors. However, C5i also\nfound that the environment used to test patches before deployment to the\nCommission\xe2\x80\x99s production systems was not identically configured to the test\nenvironment due to differences in hardware and software. Using a test\nenvironment that does not accurately reflect the current production environment\ncan produce inaccurate results and can result in failure of patches or other\nremediation to work correctly when deployed into production, which can lead to\nadverse effects on the production network and degradation of network\nperformance. We are recommending that the Commission configure its testing\nand production environments identically to ensure that the results of pre-\ndeployment tests of patches are full and conclusive.\n\nDuring the 2010 FISMA assessment, C5i found the SEC\xe2\x80\x99s network password\npolicy is not Federal Desktop Core Configuration compliant with respect to\npassword complexity and the frequency which passwords are required to be\nchanged. 9 Our review found that the SEC password policy is not consistently\napplied to all network users. C5i found five contractors who had never been\nprompted to change their passwords and had their then-current passwords for\nmore than               in violation of the SEC\xe2\x80\x99s password policy that requires\n                                             10\npasswords to be changed                         C5i also found that the SEC\npassword policy requirements for complexity, as documented in SEC\nImplementing Instruction, II 24-04.06.01 (01.1), Identification and Authentication,\nJuly 9, 2008, are inconsistent with the Group Policy requirements implemented in\nActive Directory on the SEC network in that the Group Policy requirements\nrequire\n\n7\n  OIT-00047-001.0 Disaster Recovery Planning Procedures, 24-04.09 IT Security Business Continuity\nManagement Program, SEC Implementing Instruction 24-04.09.01 (02.0) System Business Impact Analysis,\nand OIT-00003-001.0 Disaster Recovery Planning Policy.\n8\n  Assessment of SEC\xe2\x80\x99s Privacy Program, Report No. 485 (Sept. 29, 2010).\n9\n  2010 Annual FISMA Executive Summary Report, Report No. 489 (Mar. 3, 2011).\n10\n   SEC Implementing Instruction II 24-04.06.01 (01.1), Identification and Authentication (July 9, 2008).\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                     August 11, 2011\nReport No. 497\n                                               Page vii\n                                 REDACTED PUBLIC VERSION\n\x0cFurther, C5i tested procedures for requesting password changes through the\nSEC help desk and performed four separate tests to determine whether help\ndesk technicians were following the proper procedures to fully verify callers\xe2\x80\x99\nidentity before resetting their network password. C5i found many\ninconsistencies. For example, some technicians requested information such as\n\n                                       and others did not. Although OIT Policy 41-\n07-007-001.0, Technical Assistance Center/Customer Care Center Password\nReset Procedures for Remote and LAN Accounts, specifies the information that\ntechnicians are to verify before they reset a password, C5i found that technicians\nare not consistently following these procedures. In addition, the policy should be\nupdated to include the new requirement to verify the\n\n\nFurthermore, C5i conducted two additional tests to verify whether or not the\npassword structure documented in SEC II 24-04.06.01 (01.1), Identification and\nAuthentication was being fully enforced. We found that although a\n          is        in the                    the requirement         being\n         by the                 .\n\nWhen an SEC help desk technician resets a password, the technician provides\nthe caller with a                    such as               or                  but\nwhen the caller logs into the SEC network for the first time with the\n                                                                . This, coupled\nwith inconsistent application of the requirement that             be\n                  could allow individuals to\nWe recommend that OIT investigate using a random password generator that\nwould generate a complex password for users requesting a password reset,\nwhich would (1) provide more secure temporary passwords and (2) spur users to\nchange their password on their first log-on attempt after the reset. OIT should\nalso investigate the implementation of a prompt that directs users to change their\nhelp-desk-issued             on their         on to help ensure that\n                                  11\n            are used only       .\n\nAs reported in the OIG\xe2\x80\x99s 2010 FISMA Assessment, 12 C5i found that 14 network\naccounts had not been properly terminated when users had separated from or\nbeen terminated by the Commission. Our review of the procedures used to\nactivate and terminate network accounts found that although the procedures are\ndocumented, there is no \xe2\x80\x9ccross-reference\xe2\x80\x9d or audit performed by OIT, Office of\nHuman Resources, and Office of Administrative Services (OAS) to ensure all\nterminations have been received and processed in a timely manner. C5i also\n\n11\n   As of June 8, 2011 one contractor\xe2\x80\x99s passwords had expired reflecting that OIT is taking steps to remediate\nthis issue. The password was changed to a randomly generated password. Three of the contractors are no\nlonger working at the SEC, and the other test subject has not yet been affected by the change in procedure\n12\n   2010 Annual FISMA Executive Summary Report, Report No. 489 (Mar. 3, 2011).\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                         August 11, 2011\nReport No. 497\n                                                Page viii\n                                  REDACTED PUBLIC VERSION\n\x0cfound that while OIT has a policy for contractor\xe2\x80\x99s entry and exit that specifies\nsteps for issuing badges, setting up and terminating accounts, equipment\nissuance and so on, the policy does not apply Commission-wide. At the time of\nour review OAS was developing a policy to be implemented throughout the\nCommission, but it had not been completed or approved. C5i also found that the\nOAS policy under development lacked some of the detail that was included in\nOIT\xe2\x80\x99s policy such as roles and responsibilities and checklists. C5i is\nrecommending that OAS and OIT work together on Commission-wide policy and\nfinalize and implement this policy. Training for all staff involved with contractors\nsuch as Contracting Officers, Contracting, Officer\xe2\x80\x99s Technical Representatives,\nand Contractor Points of Contact, should also be developed and rolled out to\nensure the policy is effectively and thoroughly communicated.\n\nSummary of Recommendations. Our review determined that numerous\nimprovements were required to enhance the SEC\xe2\x80\x99s continuous monitoring\nprogram. Specifically, we recommended the following:\n\n     (1)   OIT should review the Commission\xe2\x80\x99s Microsoft Active Directory\n           settings and make the necessary changes to ensure that OIT\n           password policy requirements, as documented in the\n           Implementing Instruction, are strictly enforced for both on-site\n           and remote users and that the documented password structure\n           set forth in OIT policy is strictly enforced.\n\n     (2)   OIT\xe2\x80\x99s help desk should begin using a random password\n           generator to create temporary passwords and require users to\n                            on their         .\n\n     (3)   OIT should implement training for                personnel to\n           ensure that           technicians consistently verify users\xe2\x80\x99\n           information in accordance with OIT policy when they receive\n           requests to change user accounts and passwords.\n\n     (4)   OIT should ensure that security controls configurations that are\n           applied in the production environment are identical with those\n           applied in the testing environment.\n\n     (5)   OIT should develop and implement written procedures to ensure\n           configuration consistency in the Commission\xe2\x80\x99s production and\n           testing environments. These procedures should detail the\n           software and hardware components in both environments and\n           specify the actions required to maintain consistent\n           environments.\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                     August 11, 2011\nReport No. 497\n                                        Page ix\n                            REDACTED PUBLIC VERSION\n\x0c     (6)   OIT should complete and finalize written server and storage log\n           management policies and procedures that fully document roles\n           and responsibilities for log capture, management, retention and\n           separation of duties.\n\n     (7)   OIT should require that the                     and the\n                                    have consistent, appropriately installed\n           application and system configuration files to ensure the ability to\n           successfully failover and/or restore in the event of a disaster.\n\n     (8)   OIT should fully document and communicate the criteria used to\n           determine the success or failure of an application during the\n           Disaster Recovery tests to ensure consistent reporting of results\n           and alleviate confusion.\n\n     (9)   OIT should analyze the level of criticality of the Commission\xe2\x80\x99s\n           data being            and the needs and wants of its\n           customers, and establish an appropriate backup retention\n           period based on the results of that analysis and that meets the\n           requirements of the Commission.\n\n     (10) OIT should ensure that                    from the Commission\xe2\x80\x99s\n                            are sent to an                         .\n\n     (11) OAS should work with the OIT to develop and implement a\n          comprehensive Commission\xe2\x80\x93wide policy for the Entry and Exit\n          of Contractors.\n\n     (12) After the OAS contractor entry and exit policy, Contractor\n          Personnel Employment Entrance and Exit Procedures, has\n          been finalized and approved, OAS should provide training and\n          communicate with responsible parties, such as Contracting\n          Officers, Contracting Officer\xe2\x80\x99s Technical Representatives, and\n          Inspection and Acceptance Officials, regarding their roles and\n          responsibilities and proper procedures with respect to contractor\n          entry into and exit from the Commission.\n\n     (13) OHR, OIT, OAS, and the contracting office should perform, at a\n          minimum, a                 of separated/terminated employees\n          and contractors to ensure that OIT has received all account\n          termination notices and has deactivated the appropriate\n          accounts in a timely manner.\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                      August 11, 2011\nReport No. 497\n                                        Page x\n                            REDACTED PUBLIC VERSION\n\x0cTABLE OF CONTENTS\nExecutive Summary ..................................................................................................... iv\n\nTable of Contents ........................................................................................................ xi\n\nBackground and Objectives .......................................................................................... 1\n\nFindings and Recommendations ......................................................................... 3\n     Finding 1: OIT Is Not Fully Enforcing the Requirements of Its\n     Implementing Instruction for User Account Identification and\n     Authentication .................................................................................................... 3\n                  Recommendation 1....................................................................... 5\n                  Recommendation 2....................................................................... 5\n\n         Finding 2: OIT\xe2\x80\x99s Help Desk Password and PIN Reset Verification\n         Procedures Need Improvement ......................................................................... 6\n                      Recommendation 3....................................................................... 9\n\n         Finding 3: OIT\xe2\x80\x99s Test and Production Environments Are Not Identically\n         Configured.......................................................................................................... 9\n                       Recommendation 4..................................................................... 11\n                       Recommendation 5..................................................................... 12\n\n         Finding 4: Policies and Procedures for Computer\n         Management, and             Have Not Been Fully Implemented, and\n         Duties Should Be Segregated. ......................................................................... 12\n                      Recommendation 6..................................................................... 18\n\n         Finding 5: OIT\xe2\x80\x99s                and                          Disaster Recovery Tests Were\n         Not Fully Successful Because Some Internal Applications Did Not\n         Failover. ........................................................................................................... 18\n                          Recommendation 7..................................................................... 22\n                          Recommendation 8..................................................................... 22\n\n         Finding 6: OIT Has Not Sufficiently Conducted an Analysis to Determine\n         Whether its Information System Backup Retention Period Is Sufficient ........... 23\n                       Recommendation 9..................................................................... 25\n\n         Finding 7: All SEC             are Not                              .............................. 25\n                       Recommendation 10................................................................... 27\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                                   August 11, 2011\nReport No. 497\n                                                      Page xi\n                                     REDACTED PUBLIC VERSION\n\x0c         Finding 8: OAS\xe2\x80\x99 Draft Contractor Entry and Exit Procedures Should be\n         Revised to Include More Comprehensive Procedures ..................................... 27\n                      Recommendation 11................................................................... 29\n                      Recommendation 12................................................................... 29\n\n         Finding 9: SEC Lacks Procedures to Ensure Timely Termination of\n         Network Accounts ............................................................................................ 29\n                      Recommendation 13................................................................... 31\n\nAppendices\n    Appendix I. Abbreviations................................................................................ 32\n    Appendix II. Scope and Methodology .............................................................. 33\n    Appendix III. Criteria and Guidance ................................................................ 37\n    Appendix IV. Disaster Recovery Tests for External and Internal\n                   Applications .............................................................................. 40\n    Appendix V. Screenshots ................................................................................ 43\n    Appendix VI. List of Recommendations .......................................................... 49\n    Appendix VII. Management\xe2\x80\x99s Comments ........................................................ 52\n    Appendix VIII. OIG Response to Management\xe2\x80\x99s Comments............................ 57\n\nTables\n     Table 1. Internal Applications That Did Not Failover ....................................... 20\n     Table 2. Comparison of                                                                 With\n              Results of                                                                      ................... 21\n     Table 3. Comparison of                                                                          With\n              Results of                                                                   ...................... 21\n     Table 4.\n                             .................................................................................... 40\n     Table 5. Internal Applications               During                                              ........... 41\n\nFigures\n     Figure 1. Event Logs:                                                               .................................. 43\n     Figure 2. Event Logs: Historical Archives\n                                                                                          ................................ 43\n         Figure 3. Event Logs: Historical Archives\n                                                               ........................................................... 44\n         Figure 4. Active Directory Logs:\n                          ................................................................................................ 45\n         Figure 5. Active Directory Logs:\n                                             ............................................................................. 45\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                                August 11, 2011\nReport No. 497\n                                                    Page xii\n                                    REDACTED PUBLIC VERSION\n\x0c       Figure 6. Active Directory Logs:\n                              .......................................................................................... 46\n       Figure 7. Active Directory Logs:\n                        ................................................................................................ 46\n       Figure 8. ADC                                                                                        ............ 47\n       Figure 9. ADC                                                                                        ............ 47\n       Figure 10. OPC                                                                               .................... 48\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                              August 11, 2011\nReport No. 497\n                                                  Page xiii\n                                  REDACTED PUBLIC VERSION\n\x0c                    Background and Objectives\nBackground\nOverview. In August 2010, the U.S. Securities and Exchange Commission (SEC\nor Commission), Office of Inspector General (OIG), contracted with C5i Federal,\nInc. (C5i) to assist with completing and coordinating the OIG\xe2\x80\x99s input to the\nCommission\xe2\x80\x99s response to Office of Management and Budget (OMB)\nMemorandum M-10-15, fiscal year (FY) 2010 Reporting Instructions for the\nFederal Information Security Management Act and Agency Privacy\nManagement. 13 This memorandum provides the instructions and templates for\nmeeting the FY 2010 reporting requirements under the Federal Information\nSecurity Management Act of 2002 (FISMA). 14 The SEC OIG also contracted with\nC5i to review the SEC\xe2\x80\x99s continuous monitoring program and the handling of SEC\npersonally identifiable information (PII) by third-party contractors. 15\n\nThis report presents the results of C5i\xe2\x80\x99s review of the SEC\xe2\x80\x99s continuous\nmonitoring program. Continuous monitoring is the process of tracking the\nsecurity state of an information system on an ongoing basis and maintaining the\nsecurity authorization for the system over time. Understanding the security state\nof information systems is essential in highly dynamic environments of operation\nwith changing threats, vulnerabilities, technologies, and business processes. C5i\ndid not conduct detailed control tests, as they were not within the scope of its\nwork.\n\nAccording to National Institute of Standards and Technology (NIST) Special\nPublication 800-53, Recommended Security Controls for Federal Information\nSystems and Organizations (NIST 800-53), continuous monitoring includes, but\nis not limited to the following components:\n\n     \xe2\x80\xa2   Access Control\n     \xe2\x80\xa2   Awareness and Training\n     \xe2\x80\xa2   Audit and Accountability\n     \xe2\x80\xa2   Security Assessment and Authorization\n     \xe2\x80\xa2   Configuration Management\n     \xe2\x80\xa2   Contingency Planning\n     \xe2\x80\xa2   Identity and Authentication\n\n13\n   OMB Memorandum M-10-15, FY 2010 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management (Apr. 21, 2010).\nhttp://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-15.pdf.\n14\n   Federal Information Security Management Act of 2002 (Title III, Pub. L. No. 107-347), http://csrc.\nnist.gov/drivers/documents/FISMA-final.pdf.\n15\n   OIG, Review of Third-Party Contractor\xe2\x80\x99s Handling of SEC Personally Identifiable Information, Report No.\n496.\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                        August 11, 2011\nReport No. 497\n                                                 Page 1\n                                  REDACTED PUBLIC VERSION\n\x0c     \xe2\x80\xa2   Incident Response\n     \xe2\x80\xa2   Maintenance\n     \xe2\x80\xa2   Media Protection\n     \xe2\x80\xa2   Physical and Environmental Protection\n     \xe2\x80\xa2   Planning\n     \xe2\x80\xa2   Personnel Security\n     \xe2\x80\xa2   Risk Assessment\n     \xe2\x80\xa2   System and Services Acquisition\n     \xe2\x80\xa2   System and Communications Protection\n     \xe2\x80\xa2   System and Information Integrity 16\n\nObjective\nTo review the SEC\xe2\x80\x99s continuous monitoring program and further assess the\nSEC\xe2\x80\x99s current policies and procedures and its compliance with the NIST, FISMA,\nand OMB guidance.\n\n\n\n\n16\n   National Institute of Standards and Technology (NIST), Recommended Security Controls for Federal\nInformation Systems and Organizations, Special Publication 800-53, Revision 3, Annex 3, pp. 2-7,\nhttp://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf.\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                       August 11, 2011\nReport No. 497\n                                                Page 2\n                                  REDACTED PUBLIC VERSION\n\x0c                  Findings and Recommendations\n\nFinding 1: OIT Is Not Fully Enforcing the\nRequirements of Its Implementing Instruction for\nUser Account Identification and Authentication\n           OIT\xe2\x80\x99s      Implementing    Instruction  24-04.06.01(01.1),\n           Identification and Authentication for all network user\n           accounts is not being fully enforced. As a result, OIT\xe2\x80\x99s\n           practices are in violation of Implementing Instruction 24-\n           04.06.01 (01.1) and NIST 800-53.\n\nPasswords are an essential component in protecting an organization\xe2\x80\x99s computer\nnetworks and the information they contain. When a network account is initially\nsetup at the Commission, users are assigned a user name and a temporary\npassword that must be changed when the user logs onto the network for the first\ntime. The user is prompted to change the password and the password is to be\nchanged at regular intervals according to OIT Implementing Instruction 24-\n04.06.01(01.1), Identification and Authentication, which states the following:\n\n           With the exception of initial passwords, user-selected\n           passwords are required.               expire every\n                                                 which\n                  The information system must have an automated\n           mechanism to ensure that users and administrators change\n           their passwords at an interval not greater than the\n           timeframes established by this policy. The information\n           system provides the user, via a popup alert on login, with a\n                                      of                    . 17\n\nIn the Microsoft Active Directory Network environment, OIT uses the built in\nMicrosoft feature called Group Policy which provides the centralized\nmanagement and configuration of operating systems, applications and users\'\nsettings. Microsoft Group Policy is a set of rules that controls the working\nenvironment of user accounts and computer accounts, essentially controlling\nwhat users can and cannot do in Microsoft environments. Microsoft\xe2\x80\x99s default\nGroup Policy password structure requires that passwords contain characters\nfrom three of the following five categories:\n\n\n\n\n17\n     OIT Implementing Instruction 24-04.06.01 (01.1), Identification and Authentication (July 9, 2008).\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                             August 11, 2011\nReport No. 497\n                                                    Page 3\n                                     REDACTED PUBLIC VERSION\n\x0c           \xe2\x80\xa2    Uppercase characters of European languages (A through Z,\n                with diacritic marks, Greek and Cyrillic characters)\n           \xe2\x80\xa2    Lowercase characters of European languages (a through z,\n                sharp-s, with diacritic marks, Greek and Cyrillic characters)\n           \xe2\x80\xa2    Base 10 digits (0 through 9)\n           \xe2\x80\xa2    Non-alphanumeric characters: ~!@#$%^&*_-+=`|\\(){}[]:;"\'<>,.?/\n           \xe2\x80\xa2    Any Unicode character that is categorized as an alphabetic\n                character but is not uppercase or lowercase. This includes\n                Unicode characters from Asian languages. 18\n\nAccording to OIT\xe2\x80\x99s Implementing Instruction for Identification and Authentication,\nsystem and application passwords must be at least eight characters long, contain\nat least one number, and include at least one special character (i.e., a non-\nalphabetic or non-numeric symbol). They should also be complex or difficult to\nguess and should not contain full dictionary words. 19\n\nC5i determined that the instruction is written to apply to all users who access\nSEC systems, whether onsite or remotely, and conforms with NIST 800-53,\nSecurity Control IA-5 Authenticator Management, 20 although it does not comply\nwith Federal Desktop Core Configuration standards for password length and\nchange intervals, as noted in the OIG\xe2\x80\x99s 2010 Annual FISMA Executive Summary\nReport. 21 While the instruction conforms to NIST 800-53, OIT is not\nimplementing the instruction in a manner that complies with NIST 800-53\nstandards.\n\nNIST 800-53 standards require that passwords have defined \xe2\x80\x9clifetime\nrestrictions,\xe2\x80\x9d i.e., how frequently passwords need to be changed. 22 Further, the\nImplementing Instruction provides the requirement that user passwords be\nchanged every 120 days and that the user is prompted 14 days prior to the\nexpiration of their current password to make the change. 23 However, C5i\nidentified discrepancies with password change prompting personnel who\nremotely access SEC systems via the virtual private network, Citrix, or Outlook\nWeb Access. C5i\xe2\x80\x99s judgmental sample found five cases where contractors who\n                       SEC            were not           to\n                                         and had                            for\n                   . Two of the five contractors received their passwords in\n       and the other three received their passwords in\n\n\n18\n   http://technet.microsoft.com/en-us/library/cc786468%28WS.10%29.aspx.\n19\n   Id., p. 3.\n20\n   NIST 800-53, p. F-57, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-\nfinal_updated-errata_05-01-2010.pdf.\n21\n   OIG, 2010 Annual FISMA Executive Summary Report, Report No. 489 (Mar. 6, 2011).\n22\n   NIST 800-53, p. F-57, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-\nfinal_updated-errata_05-01-2010.pdf.\n23\n   OIT Implementing Instruction 24-04.06.01 (01.1), Identification and Authentication (July 9, 2008).\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                           August 11, 2011\nReport No. 497\n                                                  Page 4\n                                   REDACTED PUBLIC VERSION\n\x0c                                                                          24\nHowever, none of them have been\nAlthough a                           solution is in place for the initial\nauthorization of remote users, the Microsoft Windows Active Directory password\nchanges are not enforced and the cases C5i identified violate OIT Implementing\nInstruction 24-04.06.01 (01.1) and NIST 800-53. 25\n\n         Recommendation 1:\n\n         The Office of Information Technology (OIT) should review the\n         Commission\xe2\x80\x99s Microsoft Active Directory settings and make the necessary\n         changes to ensure that OIT password policy requirements, as\n         documented in the Implementing Instruction, are strictly enforced for both\n         on-site and remote users and that the documented password structure set\n         forth in OIT policy is strictly enforced.\n\n         Management Comments. OIT concurred with this recommendation.\n         See Appendix VII for management\xe2\x80\x99s full comments.\n\n         OIG Analysis. We are pleased that OIT concurred with this\n         recommendation.\n\n         Recommendation 2:\n\n         The Office of Information Technology help desk should begin using a\n         random password generator to create temporary passwords and require\n         users to                  on their\n\n         Management Comments. OIT concurred with this recommendation.\n         See Appendix VII for management\xe2\x80\x99s full comments.\n\n         OIG Analysis. We are pleased that OIT concurred with this\n         recommendation.\n\n\n\n\n24\n   As of June 8, 2011 one of the contractor\xe2\x80\x99s passwords expired reflecting that OIT is taking steps to\nremediate this issue. The password was changed to a randomly generated password. Three of the\ncontractors are no longer working at the SEC, and the other test subject has not yet been affected by the\nchange in procedure.\n25\n   NIST 800-53, p. F-58, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-\nfinal_updated-errata_05-01-2010.pdf.\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                         August 11, 2011\nReport No. 497\n                                                 Page 5\n                                  REDACTED PUBLIC VERSION\n\x0cFinding 2: OIT\xe2\x80\x99s Help Desk Password and PIN\nReset Verification Procedures Need Improvement\n           OIT help desk does not always apply consistent procedures\n           when users call to request a password reset.\n\nWhen an SEC user requests a user password or personal identification number\n(PIN) reset from                    responding technicians do not always use\nconsistent verification procedures. By not always properly and fully verifying the\n                   to the          OIT personnel are violating documented OIT\nprocedures and can increase the risk that a malicious party may inadvertently\ngain access to SEC\xe2\x80\x99s systems.\n\nAccording to OIT Policy 41-07-007-001.0,\n             Password Reset Procedures for                                (OIT\nPolicy 41-07-007-001.0), the following user information must be verified before a\npassword or PIN reset is processed:\n\n\n\n\nDuring interviews with OIT staff, C5i found that in certain cases before\n     technicians process a user password or PIN reset, they verified the\n        by        asking for the user\xe2\x80\x99s           , the             of the\n                        and the                            , which according to OIT\nPolicy 41-07-007-001.0 is not sufficient.\n\nTo test            compliance with OIT\xe2\x80\x99s documented user password and PIN\nreset policy, a C5i contractor who had just received his SEC network credentials\nattempted to log onto his account at the SEC Operations Center (OPC) in\nAlexandria, Virginia. When the contractor\xe2\x80\x99s temporary password did not work he\nused the                                         to call the             for\nassistance. The technician asked for the person\xe2\x80\x99s\nand the password was reset. To determine whether this behavior was an\nanomaly, C5i conducted       additional tests of whether the OIT help desk\nobtained the information required by OIT Policy 41-07-007-001.0 from individuals\nrequesting password and PIN resets, as described below. 27\n\n26\n     OIT Help Desk, (202) 551- 4357, Option 2.\n27\n     In all tests, the contractors used their true identities and did not represent themselves as someone else.\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                              August 11, 2011\nReport No. 497\n                                                     Page 6\n                                      REDACTED PUBLIC VERSION\n\x0c         Test 1: On January 21, 2011, a C5i contractor working for SEC\n         called the                 from                                and\n         requested his password be reset. The                   technician asked\n         for the person\xe2\x80\x99s\n                  the                                     and whether he was an\n                    or a              The technician did not reset the\n         password because the call did not come from a\n                              The technician said that he did not have the\n         authority to make the change and referred the contractor to an OIT\n         information technology (IT) specialist who could help reset the\n         password. While OIT Policy 41-07-007-001.0 does not specifically\n         require referral to an IT specialist in this type of situation, C5i found\n         that the            technician\xe2\x80\x99s verification of the caller\xe2\x80\x99s identity\n         was more thorough than in the initial test case described above.\n\n         Tests 2 and 3: On January 27, 2011, two C5i contractors\n         contacted the                   and requested their passwords be\n         reset. The calls were made from the\n                location in                      from the desk of an\n                     and from a                     telephone. The technicians\n         verified both callers\xe2\x80\x99 identities by obtaining their\n                                               , and the                     ,\n         then reset the passwords. The technicians did not, however, obtain\n         all the required information that was needed to verify the callers\xe2\x80\x99\n         identify, as described in OIT Policy 41-07-007-001.0.\n\n         Test 4: On January 28, 2011, a C5i contractor called the\n               from a                      and requested his password be\n         reset. The technician only verified the caller\xe2\x80\x99s        and then\n         reset the password, which violates OIT Policy 41-07-007-001.0. 28\n\nOn their next logins, which occurred onsite at\nlocation,      , and          , the four contractors who performed the tests\ndescribed above were not                          the          passwords they were\ngiven by                 staff. As of February 7, 2011, the four contractors\n                        . Although the                        conform to OIT\nImplementing Instruction 24-04.06.01 (01.1) (i.e., they have a minimum of\ncharacters and contain a                                    ), all four contractors\ncontend that the structure of the                      is not sophisticated and\ncould       be compromised. The four contractors did not share their\npasswords with anyone and only confirmed that they were\n\n\n\n28\n   OIT was not notified of the results of these tests prior to the issuance of this report as this was not a\nrequirement of the assessment.\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                              August 11, 2011\nReport No. 497\n                                                    Page 7\n                                    REDACTED PUBLIC VERSION\n\x0cFurther, to test compliance with OIT Implementing Instruction 24-04.06.01 (01.1),\nfor password characteristics and structure, C5i conducted the following two\nadditional tests:\n\n       Test 5: On February 7, 2011, while           at the\n             offices, one of the four contractors who had received a\n               password from the                   technician changed the\n               password to further test compliance with OIT\n       Implementation Instruction 24-04.06.01 (01.1). The contractor\n       purposely did not include\n       as required by the Implementing Instruction, and the new password\n       was successfully changed without the required\n\n       Test 6: To confirm that the result of test 5 was not an anomaly, two\n       additional contractors and an SEC employee changed their\n                   on February 7, 2011, and February 8, 2011,\n       respectively. First, they attempted to change their              using\n       only        and               or                   , but the system\n       rejected                        . They then used a\n                                         but no                     and that\n       password change was accepted.\n\nC5i\xe2\x80\x99s review found that the SEC\xe2\x80\x99s network systems are not always enforcing the\nSEC\xe2\x80\x99s documented, required                       , as evidenced by the ability of\nSEC contractors and employees to                             without using\n            as required by OIT Implementing Instruction 24-04.06.01 (01.1). The\nSEC\xe2\x80\x99s network systems are set to comply with                          , which has\nless complex requirements than the                               This deficiency\nmust be addressed to ensure full compliance with the SEC\xe2\x80\x99s\nThe failure to enforce Implementing Instruction 24-04.04.01 (01.1) most stringent\nrequirements increases the risk that user accounts and critical SEC data could\nbe compromised.\n\nC5i also determined from the results of the tests described above that OIT\n     personnel did not consistently verify                   in accordance with\nOIT Policy 41-07-007-001.0. By not properly and fully verifying the\n                          OIT personnel are violating documented OIT policy and\nincreasing the risk that they might inadvertently help a malicious party gain\naccess to SEC systems.\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                     August 11, 2011\nReport No. 497\n                                        Page 8\n                            REDACTED PUBLIC VERSION\n\x0c       Recommendation 3:\n\n       The Office of Information Technology (OIT) should implement training for\n                       personnel to ensure that          technicians consistently\n       verify users\xe2\x80\x99 information in accordance with OIT policy when they receive\n       requests to change user accounts and passwords.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n\nFinding 3: OIT\xe2\x80\x99s Test and Production\nEnvironments Are Not Identically Configured\n       OIT\xe2\x80\x99s test and production environments are not identically\n       configured. As a result, OIT may be unable to fully assess\n       and determine if updates to applications and software tested\n       in the test environment that are deployed into the production\n       environment will operate and function as intended and\n       prevent unintended negative impacts to the existing\n       production environment.\n\nA testing environment is created for the purpose of testing application and\nsoftware upgrades, new applications, security patches, configuration\nmodifications, and the like, that are to be deployed throughout an organization to\nconfirm that they function properly and have no negative impact on the existing\nproduction environment. A production environment consists of the hardware and\nsoftware used day-to-day to conduct the organization\xe2\x80\x99s business. The setup of\nsoftware and hardware components consists of physical and logical and other\nneeded software components.\n\nTesting is an essential component of IT staff practices in any organization. The\ntesting environment is used by testers to load and test new applications, system\nor application patches, system updates, and software products prior to their\nimplementation in production systems. In the testing environment tests are\nconducted to identify and remediate any issues that emerge (e.g., software\nincompatibility) and thereby prevent them from occurring in the production\nenvironment, and to ensure that production systems are capable of handling new\napplications, patches, system updates, and software products.\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                   August 11, 2011\nReport No. 497\n                                        Page 9\n                            REDACTED PUBLIC VERSION\n\x0cAs stated in NIST SP800-123, Guide to General Server Security, \xe2\x80\x9cAdministrators\nshould generally not apply patches to production servers without first testing\nthem on another identically configured server because patches can inadvertently\ncause unexpected problems with proper server operation.\xe2\x80\x9d29\n\nTesting new software and security patches in an environment that is not\nidentically configured can provide false-positive results which incorrectly indicate\nthat a deployment will be successful. If, for example, a patch were deployed into\nproduction without first being tested in an identically configured environment, the\npatch could have a severe negative effect on an organization\xe2\x80\x99s network or\napplications, such as locking out users from system files or causing the system to\ncrash. The more closely the test environment configuration reflects the\nproduction environment\xe2\x80\x94through the use of duplicate hardware and software\ncomponents and version numbers\xe2\x80\x94the more likely it is that the performance\nobtained in the testing environment will reflect the performance obtained in the\nproduction environment. Ideally, once any upgrade or change has been properly\ntested, the results demonstrate the desired functionality, and the testing has\nbeen deemed sufficiently reliable, the upgrade or change can be deployed to the\nproduction environment and made available to users without having unintended,\nnegative effects on the network or applications.\n\nThrough interviews with OIT staff, C5i discovered that OIT\xe2\x80\x99s testing and\nproduction environment is not identically configured. C5i determined that the\ndifferences have occurred because major applications or software in the testing\nenvironment (1) do not have the correct configuration files, (2) are not the correct\nversion, and (3) are not being set up to simulate the production environment.\nBased on a sample report of 10 applications from OIT\xe2\x80\x99s testing and production\nenvironments provided by OIT, C5i determined that the\n                                                                        are not the\nsame version in the test environment as in production as follows:\n\n     (1) The              is currently using              in the test\n         environment while running                   in the production\n         environment.\n     (2) The                      is currently using                    in the\n         test environment while running                     in the production\n         environment.\n     (3) The                   is currently running                   in the test\n         environment while running                   in the production\n         environment.\n\n\n\n\n29\n   NIST SP 800-123, Guide to General Server Security, July 2008,\nhttp://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf, Page 4-2\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                            August 11, 2011\nReport No. 497\n                                                Page 10\n                                  REDACTED PUBLIC VERSION\n\x0cDifferent application versions may have different configuration files, and\ninconsistent configuration files may cause issues with applications, such as\naffecting the ability to view and create reports.\n\nAccording to OIT staff, the differences in the application versions occurred\nbecause newer versions of the applications were being tested in the test\nenvironment before being deployed to the production environment. However, the\nupdated test environment is the same environment that OIT uses to test patches.\nTesting a patch in this updated environment may therefore not accurately predict\nwhether the patch will adversely affect the existing, un-updated production\nenvironment.\n\nAlthough there are currently no specific OIT policies or procedures that require it\nto implement or maintain identical environments, OIT\xe2\x80\x99s testing of patches in an\nenvironment that is not identical to the production environment could incorrectly\nindicate that patches could be successfully deployed to the SEC production\nenvironment when in fact they could have adverse effects on SEC production\nsystems. Testing procedures for patches are detailed in OIT Implementing\nInstruction 24-05.04.03, Patch Management, which states the following:\n\n           Patches and configuration modifications are initially tested on non-\n           production systems to account for any unintended remediation\n           consequences. The non-production testing environment, within\n           budget constraints, needs to accurately represent the production\n           configuration. 30\n\nOne of the main goals of the IT staff within an organization is to ensure that\nproduction systems run smoothly and efficiently. To achieve this goal, system\nmodifications or additions need to be tested in a test environment that is\nconfigured identically as the production environment before they are deployed\nthroughout the organization.\n\n           Recommendation 4:\n\n           The Office of Information Technology should ensure that security controls\n           configurations that are applied in the production environment are identical\n           with those applied in the testing environment.\n\n           Management Comments. OIT concurred with this recommendation.\n           See Appendix VII for management\xe2\x80\x99s full comments.\n\n           OIG Analysis. We are pleased that OIT concurred with this\n           recommendation.\n\n30\n     OIT Implementing Instruction 24-05.04.03, Patch Management (Dec. 28, 2005).\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                  August 11, 2011\nReport No. 497\n                                                Page 11\n                                   REDACTED PUBLIC VERSION\n\x0c       Recommendation 5:\n\n       The Office of Information Technology should develop and implement\n       written procedures to ensure configuration consistency in the\n       Commission\xe2\x80\x99s production and testing environments. These procedures\n       should detail the software and hardware components in both\n       environments and specify the actions required to maintain consistent\n       environments.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n\nFinding 4: Policies and Procedures for\nComputer                , Management, and\n          Have Not Been Fully Implemented,\nand Duties Are Not Segregated\n       OIT currently does not have policies and procedures\n       pertaining to log management and has not applied the\n       concept of separation of duties to log management. As a\n       result, logs may not be effectively capturing important\n       information, and staff are not fully aware of their roles and\n       responsibilities with respect to the logging function.\n\nA computer log is a file that contains events that are logged by the operating\nsystem\xe2\x80\x99s components. Logs can be configured to track information about user\nactivity such as access, or to contain specific user information, such as the time\npattern of a user\xe2\x80\x99s log-in. When an organization enables its logs, it can then use\nsecurity tools to examine the logs to detect abnormal patterns, such as user log-\nins at unusual times, which could suggest that an intruder has gained access to\nan organization\xe2\x80\x99s network, server, or system.\n\nLogs are the primary tool used by system administrators to detect and investigate\nattempted and unauthorized network or computer system access activity and to\ntroubleshoot user system problems. Since logs can track user activity, ensuring\nthat logs are enabled can deter users from misusing the organization\xe2\x80\x99s network\nand make it possible to detect unauthorized access attempts to the\norganization\xe2\x80\x99s network, server, or system by hackers or intruders. Because most\nsystem threats are internal to an organization, logs can also aid in identifying the\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                    August 11, 2011\nReport No. 497\n                                       Page 12\n                            REDACTED PUBLIC VERSION\n\x0cparties that are involved in security incidents. When an organization\xe2\x80\x99s logs are\nactive and enabled, the organization should be able to obtain substantial\ninformation that will help it conduct an audit, and trace events that can identify\nthe root cause of problems.\n\nComputerized data logging is the process of recording events with an automated\ncomputer program to provide an audit trail that can be used to understand the\nactivity of the system and to diagnose problems. Logs can be generated by such\nsources as the organization\xe2\x80\x99s system, server, and domain controller. The OIT\nServers and Storage group is responsible for administering nd managing\nhundre of logs for th      EC\xe2\x80\x99s\n\nThe OIT Servers and Storage group has enabled logging for all Exchange\nservers, Print servers, File servers, Domain Controllers, and system-generated\nlogs. NIST SP 800-92 Guide to Computer Security Log Management states:\n\n           Log management is essential to ensuring that computer security\n           records are stored in sufficient detail for an appropriate period of\n           time. Routine log analysis is beneficial for identifying security\n           incidents, policy violations, fraudulent activity, and operational\n           problems. Logs are also useful when performing auditing and\n           forensic analysis, supporting internal investigations, establishing\n           baselines, and identifying operational trends and long-term\n           problems. 37\n\nThe specifics of the type of information an organization chooses to capture in its\nlogs (log configuration/rules), the log retention period (i.e., how long the logs are\nretained), system administrator roles and responsibilities, and how often logs\nshould be reviewed are key components in establishing an organization\xe2\x80\x99s log\nmanagement policies and procedures. Quantified, established policies and\nprocedures give management the ability to guide operations without constant\nintervention because they provide guidance regarding day-to-day activities to\nsystem administrators, system owners, and system users.\n\n31\n     A Microsoft Exchange server is a widely used method of creating a messaging collaborative environment.\n\n\n\n\n  NIST, Guide to Computer Security Log Management, Special Publication 800-92, pp. ES-1, http://csrc.\nnist.gov/publications/nistpubs/800-92/SP800-92.pdf, September 2006.\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                         August 11, 2011\nReport No. 497\n                                                 Page 13\n                                    REDACTED PUBLIC VERSION\n\x0cOIT Log Retention, Capture, and Management Policies and Procedures. C5i\nfound that OIT does not have formal written policies and procedures pertaining to\nlog retention, log capture, and log management. NIST 800-92 requires agencies\nto establish and maintain log management activities as follows:\n\n        To establish and maintain successful log management activities, an\n        organization should develop standard processes for performing log\n        management. As part of the planning process, an organization\n        should define its logging requirements and goals. Based on those,\n        an organization should then develop policies that clearly define\n        mandatory requirements and suggested recommendations for log\n        management activities, including log generation, transmission,\n        storage, analysis, and disposal. An organization should also\n        ensure that related policies and procedures incorporate and\n        support log management requirements and recommendations. The\n        organization\xe2\x80\x99s management should provide the necessary support\n        for the efforts involving log management planning, policy, and\n        procedures development.\n\n        After an organization defines its requirements and goals for the log\n        management process, it should then prioritize the requirements and\n        goals based on the organization\xe2\x80\x99s perceived reduction of risk and\n        the expected time and resources needed to perform log\n        management functions. An organization should also define roles\n        and responsibilities for log management for key personnel\n        throughout the organization, including establishing log management\n        duties at both the individual system level and the log management\n        infrastructure level. 38\n\nNIST 800-53, Control AU-1 Audit and Accountability Policies and Procedures,\nprovides the following guidance regarding the need for documented and\nimplemented policies and procedures for audits (logs):\n\n        The organization develops, disseminates, and reviews/updates\n        (Assignment: organization-defined frequency):\n\n        a. A formal, documented audit and accountability policy that\n           addresses purpose, scope, roles, responsibilities,\n           management commitment, coordination among\n           organization entities, and compliance; and\n\n\n\n\n38\n   NIST, Guide to Computer Security Log Management, Special Publication 800-92, pp. ES-1\xe2\x80\x93ES-2,\nhttp://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf, September 2006.\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                   August 11, 2011\nReport No. 497\n                                             Page 14\n                                REDACTED PUBLIC VERSION\n\x0c         b. Formal, documented procedures to facilitate the\n            implementation of the audit and accountability policy and\n            associated audit and accountability controls. 39\n\nC5i\xe2\x80\x99s interviews with OIT Server and Storage group                               staff\nfound that although they generate logs, OIT does not have any written log\nmanagement policies and procedures. According to OIT staff, OIT is in the\nprocess of drafting policy, but the draft policy was not available for C5i\xe2\x80\x99s review.\nTherefore, C5i was unable to assess its adequacy and compliance with NIST\n800-53 and NIST 800-92.\n\nC5i judgmentally sampled real-time and historical event logs,\n                                                         to verify the activities that\nwere being documented (see screenshots in Appendix V). C5i worked with\nmembers of the OIT Server and Storage group to capture screenshots of\nactivities as the logs were generated. To verify the capture of logs, C5i\nrequested logs for a judgmental number of dates. 40 OIT then accessed the logs\nfor these dates and provided C5i with screenshots. Based on our review of the\nscreenshots, we confirmed that user ID and log-in/log-out times are all captured\nfor the\nTo fully verify all settings, a further in-depth analysis would have to be done to\nunderstand the level of information captured for user activities on\n                        and systems. Authorized access can be abused (e.g., files\nor logs altered without authorization), which is why event log analysis is critical to\nensure appropriate access and the use of network resources. Logs should be\nconfigured to provide sufficient information to verify user activity. Equally\nimportant to ensuring that data is being logged is establishing the storage and\nretention period for logs when an incident occurs. Incidents can go unnoticed for\na long period; therefore, retaining data for a sufficient period is necessary if\nadministrators and an organization are to be able to detect the causes of\nsecurity-related incidents. NIST 800-92 41 recommends that security, application,\nand system logs be retained for 1 to 3 months for \xe2\x80\x9cmoderate systems\xe2\x80\x9d 42 and 3 to\n12 months for \xe2\x80\x9chigh systems.\xe2\x80\x9d43 Additionally, NIST 800-53 has the following\nspecific control for audit record retention:\n\n39\n   NIST 800-53, p. F-24.\nhttp://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf.\n40\n   We requested and were provided event logs for June 21, 2006, December 18, 2006, January 17, 2011,\nJanuary 20, 2011, and Active Directory logs for December 7, 2009, December 14, 2009, December 21,\n2009, December 28, 2009, January 1, 2010, January 11, 2010, January 18, 2010, January 26, 2010,\nFebruary 15, 2010, March 14, 2010, April 12, 2010, April 19, 2010, April 26, 2010, May 30 - 31, 2010,\nJune 1 - 3, 2010, June 30, 2010, October 23, 2010, and December 16, 2010.\n41\n   NIST 800-92, pp. 4-3 and ES-1, http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf.\n42\n   A moderate system is one whose confidentiality, integrity, and availability are considered to be at a\nmoderate level\xe2\x80\x94compromise of the system\xe2\x80\x99s confidentiality, integrity, or availability would not cause grave\ndamage to an organization.\n43\n   A high system is one whose confidentiality, integrity, and availability are considered to be critical\xe2\x80\x94\ncompromise of the system\xe2\x80\x99s confidentiality, integrity, or availability cause grave damage to an organization\nand its ability to conduct business.\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                          August 11, 2011\nReport No. 497\n                                                 Page 15\n                                  REDACTED PUBLIC VERSION\n\x0c           AU-11 AUDIT RECORD RETENTION\n\n           Control: The organization retains audit records for [Assignment:\n           organization-defined time period consistent with records retention\n           policy] to provide support for after-the-fact investigations of security\n           incidents and to meet regulatory and organizational information\n           retention requirements.\n\n           Supplemental Guidance: The organization retains audit records\n           until it is determined that they are no longer needed for\n           administrative, legal, audit, or other operational purposes. This\n           includes, for example, retention and availability of audit records\n           relative to Freedom of Information Act (FOIA) requests, subpoena,\n           and law enforcement actions. Standard categorizations of audit\n           records relative to such types of actions and standard response\n           processes for each type of action are developed and disseminated.\n           The National Archives and Records Administration (NARA) General\n           Records Schedules (GRS) provide federal policy on record\n           retention. 44\n\nBased on interviews C5i conducted with OIT, we found that                        of\nstorage is allocated for each server                              for logging; as\nsoon as this threshold is met, an automated script transfers all the logs from\neach of the servers to a centralized server for storing. The job of the centralized\nserver is to maintain logs from the\n                                    7\n                            of available storage. If the logs captured in the\ncentralized server start to approach the                    , the OIT Server and\nStorage group is responsible for increasing storage capacity to maintain the high\nvolume of logs. This process is compliant with the NIST 800-53 control for audit\nstorage. 48 Currently, the OIT Server and Storage group retains logs for one year.\nThese logs are stored on-site at the SEC Operations Center, in Alexandria,\nVirginia, and are replicated at the Alternate Data Center (ADC), in Ashburn,\nVirginia.\n\nCertain staff in the Server and Storage group have been granted administrator-\nlevel access for the task of verifying and reviewing audit records and event logs\nfor\n44\n     NIST 800-53, p. F-30, http://csrc.nist.gov/publications/ nistpubs/800-53-Rev3/sp800-53-rev3-\n\n\n\n\n47\n   Unit of measurement of computer memory equivalent to one trillion bytes or 1,000 gigabytes of\ninformation.\n48\n   NIST 800-53, p. F-24, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-\nfinal_updated-errata_05-01-2010.pdf.\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                           August 11, 2011\nReport No. 497\n                                                   Page 16\n                                     REDACTED PUBLIC VERSION\n\x0c                                        However, C5i found that a key security\nprinciple\xe2\x80\x94separation of duties\xe2\x80\x94is not applied to OIT log management activities,\nperformed by the Server and Storage group. With separation of duties, more\nthan one person is needed to complete a task. The goal of separation of duties\nis to promote integrity, prevent fraud, reduce potential damage from the actions\nof one person and the implementation of an appropriate level of checks and\nbalances on an individual\xe2\x80\x99s activities.\n\nSeparation of duties is a requirement of NIST 800-53, which states the following:\n\n Control: Access Control, AC-5 Separation of Duties\n\n             The organization:\n\n                 a. Separates duties of individuals as necessary, to prevent\n                    malevolent activity without collusion;\n                 b. Documents separation of duties; and\n                 c. Implements separation of duties through assigned\n                    information system access authorizations.\n\nSupplemental Guidance. Examples of separation of duties include: (i) mission\nfunctions and distinct information system support functions are divided among\ndifferent individuals/roles; (ii) different individuals perform information system\nsupport functions (e.g., systems management, systems programming,\nconfiguration management, quality assurance and testing, network security); (iii)\nsecurity personnel who administer access control functions do not administer\naudit functions; and (iv) different administrators account for different roles. 49\n\nNIST 800-92 emphasizes the separation of duties with respect to log\nmanagement as a means of preventing log tampering and manipulation. C5i\nfound that administrators, who have access to system,\n                                       may also have the authority of altering,\nmodifying, and deleting logs. Consistent with the principle of separation of duties\nfrom NIST 800-53, an individual with administrator access to configure the logs\nshould not be the same person to generate or review the logs. Prevention of log\ntampering or altering is essential to ensure the integrity of the logs and without\nseparation of duties, the reliability of SEC log information is difficult to ensure.\n\nAdditionally, without fully documented and implemented policies and procedures,\nSEC OIT may not be effectively and thoroughly collecting important information\nwith respect to Network and Systems log functions.\n\n\n\n49\n   NIST 800-53, pp. F8-F9, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-\nfinal_updated-errata_05-01-2010.pdf.\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                        August 11, 2011\nReport No. 497\n                                                Page 17\n                                  REDACTED PUBLIC VERSION\n\x0c        Recommendation 6:\n\n        The Office of Information Technology should complete and finalize written\n        server and storage log management policies and procedures that fully\n        document the roles and responsibilities for log capture, management,\n        retention and separation of duties.\n\n        Management Comments. OIT concurred with this recommendation.\n        See Appendix VII for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that OIT concurred with this\n        recommendation.\n\n\nFinding 5: OIT\xe2\x80\x99s    and               Disaster\nRecovery Tests Were Not Fully Successful\nBecause Some Internal Applications Did Not\nFailover\n        OIT is unable to failover all of its internal applications, which\n        could hinder its ability to fully and swiftly perform mission-\n        critical functions if a disaster or significant disruptions occur.\n\nDisaster recovery (DR) is the process of re-establishing an organization\xe2\x80\x99s\noperations in the event of a disaster or other significant event, such as a tornado,\nhurricane, snowstorm, or fire. The process includes, but is not limited to, re-\nactivating the organization\xe2\x80\x99s information systems, communicating with\nemployees, establishing alternate work locations for employees, and identifying\nemployees needed roles and responsibilities. NIST 800-53 provides guidance to\norganizations covering contingency planning policy and procedures, contingency\nplans, contingency training, contingency plan testing and exercises, alternate\nstorage sites, telecommunications service, information service backup, and\ninformation system recovery and reconstitution. 50 NIST has also developed and\nissued NIST SP 800-34, Contingency Planning Guide for Federal Information\nSystems, 51 which details several aspects of the planning process for developing\na comprehensive DR plan and program, including the information system\n\n\n\n50\n   NIST, Recommended Security Controls for Federal Information Systems and Organizations, Special\nPublication 800-53, Rev 3 (August 2009), app. F-CP, Contingency Planning, page F-47, http://csrc.nist.gov/\npublications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf.\n51\n   NIST, Contingency Planning Guide for Federal Information Systems, Special Publication 800-34, Revision\n1 (May 2010), p. 18, http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-\n2010.pdf.\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                       August 11, 2011\nReport No. 497\n                                               Page 18\n                                 REDACTED PUBLIC VERSION\n\x0ccontingency planning process, information system contingency plan\ndevelopment, and technical contingency planning considerations. 52\n\nA DR plan is an information system\xe2\x80\x93focused plan that is designed to restore the\noperability of a target system, application, or computer facility infrastructure at an\nalternate site. It applies to major disruptions in an organization\xe2\x80\x99s services or\noperations for an extended period of time. The DR plan may be supported by\nother information system contingency plans, which are organized, coordinated\nprocedures that are to be activated to address the recovery of affected systems.\nHowever, the DR plan only addresses information system disruptions that require\nthe relocation to an alternate site.\n\nTo assess a DR plan\xe2\x80\x99s effectiveness, it must be tested to ensure it provides the\nSEC\xe2\x80\x99s senior-level management confidence in the Commission\xe2\x80\x99s ability to restore\nits systems, applications, and other computing resources, in the event of a\ndisaster or a significant event, such as a system disruption.\n\nAs documented in the OIG\xe2\x80\x99s 2010 Annual FISMA Assessment Report, 53 the SEC\nhas established and maintains an agency-wide business continuity of operations\nplan/DR program that is consistent with NIST, FISMA, and OMB requirements\nand Federal Continuity Directive 1 (FCD1), which states that continuity plans and\nprograms should be developed and have well-documented policies and\nprocedures. 54 We did not test the SEC\xe2\x80\x99s continuity/disaster recovery plans; but\nmerely reviewed the two specific DR tests conducted on                  and\n                    and the                  re-test, and confirmed that the SEC\nhas policies and procedures5 for DR that comply with FCD1, as well as NIST,\nFISMA, and OMB requirements.\n\nAs part of the DR process, the system owners for specific SEC systems and\napplications are involved in testing the SEC\xe2\x80\x99s DR plan\n             to ensure the full functionality of the plan and failover of systems\nand to document problems that may need attention or remediation. The system\nowners and other OIT staff (i.e., Central Operations, Information Security, etc.)\nare responsible for the details of each test.\n\n\n52\n   NIST, Contingency Planning Guide for Federal Information Systems, Special Publication 800-34, Rev 1\n(May 2010), pp. vi-vii, http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-\n2010.pdf.\n53\n   OIG, 2010 Annual FISMA Assessment Report, Report No. 489 (Mar. 6, 2011).\n54\n   Federal Continuity Directive 1, Federal Executive Branch Continuity Program and Requirements\n(February 2008).\n55\n   OIT-00047-001.0, Disaster Recovery Planning Procedures, 24-04.09, IT Security Business Continuity\nManagement Program, SEC Implementing Instruction 24-04.09.01 (02.0), System Business Impact\nAnalysis, and OIT-00003-001.0, Disaster Recovery Planning Policy.\n56\n   Failover is the capability to switch over automatically to a redundant or standby computer server, system,\nor network upon the failure or abnormal termination of the previously active application, server, system, or\nnetwork. Failover happens without human intervention and generally without warning, unlike switchover.\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                          August 11, 2011\nReport No. 497\n                                                 Page 19\n                                   REDACTED PUBLIC VERSION\n\x0cOn                SEC personnel performed the         of                           DR plan tests for\ncalendar year 2010. The test involved the failover of\n\n\n                                 are listed below in Table 2, along with the\nreasons for their lack of successfully failing over.\n\nTable 1. Internal Applications that Did not Failover\n                                                  Reason\n                                               Application database                     . Per\n                                               OIT, this is considered a mission-critical\n                                               application.\n                                               Login was successful but reports\n                                               run due to\n                                               issues. 58\n                                               Login was successful but reports\n                                                        to       issues.\n                                               Login was successful, but USA Staffing was\n                                               not available at the\nSource: OIG-generated data.\n\nOn                          the SEC system owners and the Disaster Recovery\nGroup conducted the                         DR test and selected      internal\napplications to test (see Appendix IV for a list of the applications). During this\ntest, all but one internal application\xe2\x80\x94             \xe2\x80\x94successfully failed over and\nback.             did not fail over successfully because an incorrect version of the\napplication had been installed at the          . The           application has been\ndefined as mission-critical. The         applications that did not fail over\nsuccessfully in the                   test failed over successfully in the\n            test, demonstrating improvement in OIT\xe2\x80\x99s testing and remediation of\nthe previously found issues. The                   est was conducted specifically for\nthe internal system with                                   , and did not include the\nExternal Applications because they are not operated using                      Table 2\nprovides a comparison of the results from the\n       DR tests.\n\n\n\n\n57\n     The                 function enables the user to view a summary of               or previously executed\n        for a specific           for specific\nhttp://wapps.sec.gov/oitintranet/oit_request/oit_learn/Bluesheet%205.0/Script%202A%20-\n%20How%20to%20Perform%20an%20Equity%20Cleared%20Search_Revised%20.pdf\n58\n          is a web-based reporting environment where reports can be created, generated, edited, and shared\nwith other users. It also provides the capability for e-mail distribution of reports.\n59\n             is used by SEC staff in determining and handling cases where disgorgements and penalties are\nto be dispersed to investors. OIT provided C5i with a list of mission critical applications which identified the\n           application, among others.\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                            August 11, 2011\nReport No. 497\n                                                  Page 20\n                                    REDACTED PUBLIC VERSION\n\x0cTable 2. Comparison of                                                   With\nResults of\n                                                                        Percentage\n                                                    Passed/\n                     Test Date        Tested                   Failed    Passed/\n                                                    Restored\n                                                                         Restored\n Internal                                40           36         4         90%\n Applications                            32           31         1         97%\n External                                12           12         0        100%\n Applications                            n/a          n/a       n/a         n/a\nSource: OIG-generated data.\n\nAlthough the SEC experienced a more favorable DR test result in                    the\n         application still did not fail over successfully because different versions\nof the application are operating at         and at        which prevented the system\nowners from accessing the application.\n\nOn                     OIT conducted a retest of applications previously tested in\nthe                              DR test. The retest consisted of      internal\napplications. In this retest, according to a spreadsheet provided by OIT that\ndescribed the failover test results of all the applications,    internal, mission-\n                                                  60\ncritical applications                                and one non-mission critical\ninternal application,                  did not fail over successfully as a result of\nthe reporting functions not operating as expected due to problems with the report\nserver. Although the reporting function did not operate as expected, the core\napplications did operate as expected. Table 2 shows the results of the\n                                and the                              .\n\nTable 3. Comparison of                                                          With\nResults of\n                                                                        Percentage\n                                                    Passed/\n                     Test Date        Tested                   Failed    Passed/\n                                                    Restored\n                                                                         Restored\n Internal                                32            31        1         97%\n Applications                            42            39        3         93%\nSource: OIG-generated data.\n\nOur comparison of the         and                    and                  test results\nprovided by OIT indicate that different criteria was used by the DR team to\ndetermine the pass or fail of an application. In addition, we found that there is no\ndocumentation that specifies the criteria to be used by the DR team to determine\nthe pass or fail of an application in the test. As a result, there is confusion about\nthe success or failure of the application test and the documented result which\ncan lead to a misinterpretation of OIT\xe2\x80\x99s DR test results. For example, the\nspreadsheets provided to C5i indicate that in the                       , the\napplication has a failover status of \xe2\x80\x9cFail\xe2\x80\x9d due to \xe2\x80\x9cIQ Issues\xe2\x80\x9d \xe2\x80\x93 the reports function\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                        August 11, 2011\nReport No. 497\n                                       Page 21\n                              REDACTED PUBLIC VERSION\n\x0cnot operating properly. However, based on C5i\xe2\x80\x99s conversations with OIT\npersonnel, applications are considered successfully tested, i.e., passed, if the\nend user of the system is able to perform their basic functions after the system\nhas been recovered.\n\nThe main objective of a DR test is to verify an organization\xe2\x80\x99s ability to restore\napplications and systems in accordance with a specific recovery time objective.\nBased on the results of the\n             C5i determined that if a disaster or other significant event were to\noccur, some SEC applications and systems would likely be inaccessible to users\nand negatively affect the SEC\xe2\x80\x99s normal business operations.\n\n       Recommendation 7:\n\n       The Office of Information Technology should require that the\n               and the                           have consistent, appropriately\n       installed application and system configuration files to ensure the ability to\n       successfully failover and/or restore in the event of a disaster.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n       Recommendation 8:\n\n       The Office of Information Technology should fully document and\n       communicate the criteria used to determine the success or failure of an\n       application during the Disaster Recovery tests to ensure consistent\n       reporting of results and alleviate confusion.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                      August 11, 2011\nReport No. 497\n                                       Page 22\n                            REDACTED PUBLIC VERSION\n\x0cFinding 6: OIT Has Not Sufficiently Conducted an\nAnalysis to Determine Whether its Information\nSystem Backup Retention Period Is Sufficient\n        Given the criticality of Commission data, the SEC\xe2\x80\x99s\n        information system backup retention period of               may\n        not be sufficient. In the event of a full system failure, the\n        only data that could be restored would be from the previous\n                 , resulting in potential data loss that would negatively\n        affect the Commission\xe2\x80\x99s business operations. OIT has not\n        conducted a recent analysis to determine whether the\n             period is sufficient.\n\nInformation system backup consists of copying an organization\xe2\x80\x99s data, files, or\nthe contents of a hard drive or a server to preserve critical business data and\nother needed information so that they can be restored in the event of a data loss\nevent (e.g., hardware or software failure, natural disaster, file corruption, theft, or\nfire). An information system backup retention period is the length of time an\norganization can go back to perform a \xe2\x80\x9crestore\xe2\x80\x9d with minimal or no loss of data.\nOrganizations have a variety of options for backing up their information systems\nincluding tapes, zip drives, flash drives, CDs, DVDs, removable drives, remote\nservers, and network connections. OIT currently uses Digital Linear Tapes, a\nmagnetic tape storage technology, to back up the Commission\xe2\x80\x99s information\nsystems. However, OIT has informed us that by the end of calendar year 2011,\nthe office will replace tapes with storage disks.\n\nNIST Backup and Retention Policy. NIST has not issued specific guidance on\nbackup retention periods. According to NIST 800-34, \xe2\x80\x9c[b]ackup and retention\nschedules should be based on the criticality of the data being processed and the\nfrequency that the data is modified.\xe2\x80\x9d61 NIST 800-92 also states that \xe2\x80\x9c\xe2\x80\xa6more\nstringent requirements for performing log preservation in support of investigations\n(e.g., internal investigations, computer security incident handling) should override\nthe standard organization-established values for log retention as applicable.\xe2\x80\x9d\n\nOIT\xe2\x80\x99s Backup and Retention Policies and Procedures. According to SECR\n23-2a, Safeguarding Non-Public Information, and SEC Administrative Regulation\n(SECR) 24-2.6, Enterprise Backup of Electronic Data, all backup tapes\nprocessed at the SEC offices and divisions are considered sensitive because\nthey contain privacy-related information, such as PII, and critical and sensitive\nfinancial data. SEC Operating Procedure (OP) 24-05.02.04.07, Safeguarding\nProcedures for Non-Public Backup Media, requires that all backup media,\n\n61\n  NIST 800-34, p. 57, http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-\n2010.pdf, May 2010.\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                       August 11, 2011\nReport No. 497\n                                               Page 23\n                                  REDACTED PUBLIC VERSION\n\x0cincluding tapes, be appropriately marked to identify their content as SEC\nsensitive data. 62\n\nSECR 24-2.6, Enterprise Backup of Electronic Data, states the following:\n\n     a) All critical files are backed up on a nightly basis;\n\n     b) A full backup of each server that houses user and/or application\n        data shall be performed weekly. After             the tapes are\n        returned to OPC. Upon return of the tapes, they shall be recycled\n        into the backup rotation. Regional and district offices shall send\n        their full backup tapes to the designated SEC backup specialist on\n        the first full workday after the backup was performed. If the full\n        backup was not successful, another full backup must be taken as\n        soon as possible, but not later than                     and\n\n     c) On the days that a full backup is not performed, an incremental\n        backup shall be performed. 63\n\nC5i interviewed personnel responsible for performing OIT\xe2\x80\x99s backups to obtain a\nbetter understanding of how often OIT conducts backups, the length of time OIT\nmaintains the backups, the criticality of the data being backed up, and where\nbackup tapes were stored, as well as to ascertain whether OIT\xe2\x80\x99s current backup\npolicies and procedures meet the NIST 800-34 standard. 64\n\nC5i found that           are performed at                     and individual SEC\nregional offices, which retain a copy of the               and\n      and                 . Tapes are retained and are available for 30 days after\nthe backup date. Once             has passed, the tapes are then shipped from the\nregional office and from                     and all             of the tapes are\nrecycled (reused) for future backups. For example, a backup tape made\nago would be available if needed, but a tape made                     ago would\nalready have been recycled and the data would no longer be available.\n\nData Replication. To further prevent data loss, OIT replicates65 data in real time\nbetween       and       The SEC has          telecommunication links to circuits\nbetween       and       These circuits are fully active and provide\ntelecommunication connectivity over the       links such that if one circuit were\n\n62\n   OP 24-05.02.04.07, Safeguarding Procedures for Non-Public Backup Media (Mar. 14, 2007).\n63\n   SECR 24-2.6, Enterprise Backup of Electronic Data (May 15, 2003).\n64\n   NIST 800-34, http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-\n2010.pdf, May 2010.\n65\n   Data replication is the process of copying data from one data source to another source while maintaining\nidentical copies of the data that are synchronized. Any changes made to the original content should be\nposted to the copy of the data at the other location. This will enable two or more copies of data to be\navailable.\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                        August 11, 2011\nReport No. 497\n                                                Page 24\n                                  REDACTED PUBLIC VERSION\n\x0cto fail, there would still be connectivity on the              circuits. If\ncircuits were lost, a backup circuit from                         that is routed\nthrough                        would provide telecommunication connectivity. If the\nreplication process itself had an issue, replication would be suspended until the\nlink was back up. For all storage systems being replicated, connectivity would\nthen resume without data loss, but the replication would have to catch up.\n\nAnalysis of Retention Period. C5i inquired from OIT as to its basis for\ndetermining that its information backup retention period should be             OIT\ninformed us that it has not recently conducted an analysis to determine if the\n           is sufficient. OIT also has indicated that it has not reached out to its\ncustomers to determine if any customers would request or even require a longer\nbackup retention period. Based upon the criticality of data, we believe that it is\nimportant to conduct a thorough analysis to determine whether a\nretention period is sufficient.\n\n       Recommendation 9:\n\n       The Office of Information Technology should analyze the level of criticality\n       of the Commission data being                and the needs and wants of its\n       customers, and establish an appropriate backup retention period based on\n       the results of that analysis and that meets the requirements of the\n       Commission.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n\nFinding 7: All SEC                                       are Not\n\n       Currently, the                 for the Regional Offices are\n       stored at the\n       However, the                  for the                   are\n       stored onsite and not at a secure off-site facility.\n\nAs outlined above in Finding 6, SEC OIT has documented policies and\nprocedures for performing backup of critical SEC data which are compliant with\nNIST guidance. However, during our interviews, C5i was informed that OIT\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                     August 11, 2011\nReport No. 497\n                                       Page 25\n                            REDACTED PUBLIC VERSION\n\x0cstores                for the SEC\xe2\x80\x99s 11 regional offices66 and              but the\n              for the        are stored       .\nWe further found that OIT has a contract with an off-site storage vendor that\nallows OIT to send tapes to the vendor twice a week. However, OIT staff\ninformed C5i that tapes had not been shipped to the off-site storage vendor since\nMarch 2008.\n\nNIST 800-34 Contingency Planning Guide for Federal Information Systems\nprovides the following guidance:\n\n         It is good business practice to store backed-up data offsite. Commercial\n         data storage facilities are specially designed to archive media and protect\n         data from threatening elements. If using offsite storage, data is backed up\n         at the organization\xe2\x80\x99s facility and then labeled, packed, and transported to\n         the storage facility. If the data is required for recovery or testing purposes,\n         the organization contacts the storage facility requesting specific data to be\n         transported to the organization or to an alternate facility. Commercial\n         storage facilities often offer media transportation and response and\n         recovery services. When selecting an offsite storage facility and vendor,\n         the following criteria should be considered:\n\n             \xe2\x80\xa2   Geographic area: distance from the organization and the\n                 probability of the storage site being affected by the same\n                 disaster as the organization\xe2\x80\x99s primary site;\n             \xe2\x80\xa2   Accessibility: length of time necessary to retrieve the data\n                 from storage and the storage facility\xe2\x80\x99s operating hours;\n             \xe2\x80\xa2   Security: security capabilities of the shipping method,\n                 storage facility, and personnel; all must meet the data\xe2\x80\x99s\n                 security requirements;\n             \xe2\x80\xa2   Environment: structural and environmental conditions of the\n                 storage facility (i.e., temperature, humidity, fire prevention,\n                 and power management controls); and\n             \xe2\x80\xa2   Cost: cost of shipping, operational fees, and disaster\n                 response/recovery services. 67\n\nThus, OIT is storing                           in violation of NIST guidance,\nand even though OIT has a contract with an off-site vendor that could be utilized\nto store               for the           as per NIST guidance, OIT is not\ncurrently using this mechanism to send the                      offsite.\n\n\n\n66\n   The SEC\xe2\x80\x99s 11 regional offices are in Atlanta, Boston, Chicago, Denver, Fort Worth, Miami, Los Angeles,\nNew York, Philadelphia, Salt Lake City, and San Francisco.\n67\n   NIST SP 800-34 Section 3.4.2, p 21, http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-\nrev1_errata-Nov11-2010.pdf.\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                        August 11, 2011\nReport No. 497\n                                                Page 26\n                                  REDACTED PUBLIC VERSION\n\x0c           Recommendation 10:\n\n           The Office of Information Technology should ensure that\n           from the Commission\xe2\x80\x99s                    are sent to an\n\n\n           Management Comments. OIT concurred with this recommendation.\n           See Appendix VII for management\xe2\x80\x99s full comments.\n\n           OIG Analysis. We are pleased that OIT concurred with this\n           recommendation.\n\n\nFinding 8: OAS\xe2\x80\x99s Draft Contractor Entry and Exit\nProcedures Should be Revised to Include More\nComprehensive Procedures\n         OAS\xe2\x80\x99s draft Commission-wide contractor entrance and exit\n         policies lack the comprehensiveness of current OIT-specific\n         procedures.\n\nOIT\'s Contractor Entry and Exit Operating Procedures. OIT has developed\ncomprehensive operating procedures for contractor entry and exit, in its\nContractor Entry and Exit, OP 24-06.04.01.01(01.2) guidance. Without\ncomprehensive procedures that fully outline specific roles and responsibilities,\nthe Commission risks the improper entry and exit of contractors, which can cause\nprojects to be delayed because of entry issues, contractor accounts to remain\nactive after the contractor\xe2\x80\x99s exit, and improper tracking of SEC assets, including\nlaptops and RSA tokens.\n\nContractors are used throughout the federal government to augment department\nand agency workforces and to provide professional and management support\nservices. Generally, federal government departments and agencies have\nprocesses and procedures to bring contractors on board and to terminate them\nwhen their services are no longer needed. In alignment with other federal\ndepartments and agencies, OIT has developed Contractor Entry and Exit, OP 24-\n06.04.01.01(01.2) procedures, which contains its operating procedures for the\nentry and exit of contractors. 68 OIT\xe2\x80\x99s procedures also include two forms to be\nused for OIT contractor entry and exit. The contractor entry form is used to\nrequest hardware and local area network access for an entering contractor and\nspecifies pertinent documentation that the contractor must complete, such as a\nnondisclosure agreement and an authorization for credit check, in order to be\n\n68\n     Contractor Entry and Exit, OP 24-06.04.01.01(01.2) (July 18, 2006).\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                          August 11, 2011\nReport No. 497\n                                                  Page 27\n                                    REDACTED PUBLIC VERSION\n\x0cprocessed for a badge. 69 The contractor exit form is used to document the return\nof a departing contractor\xe2\x80\x99s badge, equipment, and RSA token, and includes a\nsection on reassigning equipment. 70\n\nOverall, C5i found OIT\xe2\x80\x99s entry and exit procedures for contractors to be\ncomprehensive and sufficient. The entry process for OIT contractors requires\ncompletion of a background check and nondisclosure agreement, processing of\ncredentials required to access SEC facilities and network systems,\ndocumentation of equipment issued (e.g., laptop, Blackberry), coordination of\nworkspace for contractors working on-site at the SEC, and completion of the\nContractor Entry Form. The exit process for OIT contractors includes, but is not\nlimited to, documenting the roles and responsibilities of the staff for terminating\naccounts, collection of SEC equipment and badges, and reallocation of\nworkspace.\n\nC5i judgmentally selected 6 of 30 OIT Contracting Officer\xe2\x80\x99s Technical\nRepresentatives (COTR) to interview and determine whether they were aware of\ncurrent OIT policies and procedures pertaining to contractor entry and exit. C5i\nfound that all 6 were aware of the OIT\xe2\x80\x99s contractor entry and exit policies and\nprocedures.\n\nOAS\xe2\x80\x99s Draft Contractor Entry and Exit Policy. OAS staff provided C5i with its\ndraft SEC contractor entrance and exit policy, Contractor Personnel Employment\nEntrance and Exit Procedures, dated November 29, 2010, which covers all SEC\ncontractors, including OIT contractors, and will supersede the operating\nprocedures OIT currently uses to oversee the entry and exit of OIT contractors.\nOAS was not initially aware that OIT had already developed comprehensive\nentrance and exit procedures and did not consider or review OIT\xe2\x80\x99s procedures in\ndrafting its overarching policies and procedures for the Agency.\n\nC5i\xe2\x80\x99s review of OAS\xe2\x80\x99s draft policy determined that the OAS policy lacks certain\nspecific details\xe2\x80\x94details that are included in OIT\xe2\x80\x99s operating procedures. We\nfurther determined that the OAS draft policy is insufficient. Specifically, C5i found\nthat the OAS draft procedures lack full coverage of the roles and responsibilities\nof administrative officers, COTRs, and contractor points of contact and did not\ncontain references to other pertinent or applicable policies and procedures.\nWithout comprehensive procedures that fully outline the contractors specific roles\nand responsibilities, the Commission risks the improper entry and exit of\ncontractors, which can cause projects to be delayed because of entry issues,\ncontractor accounts to remain active after the contractor\xe2\x80\x99s exit, and the improper\ntracking of SEC assets, such as laptops and RSA tokens.\n\n\n\n69\n     OP 24-06.04.01.02.T01.\n70\n     OP 24-06.04.01.02.T02.\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                     August 11, 2011\nReport No. 497\n                                       Page 28\n                              REDACTED PUBLIC VERSION\n\x0c       Recommendation 11:\n\n       The Office of Administrative Services should work with the Office of\n       Information Technology to develop and implement a comprehensive\n       Commission\xe2\x80\x93wide policy for the Entry and Exit of Contractors.\n\n       Management Comments. OAS and OIT concurred with this\n       recommendation. See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OAS and OIT concurred with this\n       recommendation.\n\n       Recommendation 12:\n\n       After the Office of Administrative Services (OAS) contractor entry and exit\n       policy, Contractor Personnel Employment Entrance and Exit Procedures,\n       has been finalized and approved, OAS should provide training and\n       communicate with responsible parties, such as Contracting Officers,\n       Contracting Officer\xe2\x80\x99s Technical Representatives, and Inspection and\n       Acceptance Officials, regarding their roles and responsibilities and proper\n       procedures with respect to contractor entry into and exit from the\n       Commission.\n\n       Management Comments. OAS concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OAS concurred with this\n       recommendation.\n\n\n Finding 9: SEC Lacks Procedures to Ensure\n Timely Termination of Network Accounts\n       No cross-referencing procedures exist at the Commission to\n       ensure the timely termination of network accounts for\n       separated or terminated users. Without such procedures,\n       the accounts of terminated employees and contractors could\n       remain active, allowing unauthorized and potentially\n       malicious users to gain access to sensitive SEC data or\n       systems.\n\n According to NIST 800-53, organizations should manage information\n system accounts, and should deactivate temporary accounts that are no\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                    August 11, 2011\nReport No. 497\n                                       Page 29\n                            REDACTED PUBLIC VERSION\n\x0c     longer required and deactivate accounts of terminated or transferred\n     users, and review accounts. 71\n\n     As C5i reported in OIG\xe2\x80\x99s 2010 Annual FISMA Executive Summary Report, C5i\n     found network accounts for employees who had separated from the\n     Commission that had not been disabled in a timely manner. 72 Specifically, the\n     accounts for 14 employees remained active after their last day of employment\n     at the SEC.\n\n     Through additional subsequent interviews with OIT personnel and further\n     assessment of the procedures surrounding account terminations, C5i found that\n     although there is a process in place for terminating the accounts of separated\n     employees and contractors, no verification procedures currently exist to ensure\n     that accounts have been terminated.\n\n     C5i found that the same process is used for account termination and account\n     creation. In both situations, OIT OP 24-05.01.02.T01, Request for Account\n     Creation, Modification, Termination, or Transfer, is used. The IT Specialist or\n     administrative contact for the relevant organization is responsible for\n     completing the form and submitting it to the OIT Technical Assistance Center\xe2\x80\x93\n     Local Area Network Account Management Group, which is to enable or disable\n     the account on the employee\xe2\x80\x99s separation date, as documented on the form. In\n     the event of an involuntary termination, the Technical Assistance Center and\n     OIT Security are immediately notified of the termination and the account is\n     terminated.\n\n     Through additional interviews with OIT personnel and further assessment of\n     OIT\xe2\x80\x99s account termination procedures, C5i found that although OIT is following\n     its internal account termination process, there are no procedures to verify that\n     all termination forms have been received and processed. Further, C5i found\n     that there are no formal procedures or system for cross-referencing OIT user\n     account termination records with Office of Human Resources, OAS, or\n     Contracting Officer/COTR/Inspection and Acceptance Official records of\n     employee and contractor terminations.\n\n     Without a process to ensure that all SEC employee and contractor termination\n     forms have been received and processed by OIT, the SEC is unable to\n     maintain an accurate and complete user account inventory and disable\n     accounts in a timely manner. As a result, the accounts of terminated\n     employees and contractors could remain active, permitting unauthorized and\n     potentially malicious users access to sensitive SEC data or systems.\n\n\n71\n   NIST 800-53, p. F-3, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-\nerrata_05-01-2010.pdf.\n72\n   OIG, 2010 Annual FISMA Executive Summary Report, Report No. 489 (Mar. 6, 2011).\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                        August 11, 2011\nReport No. 497\n                                                Page 30\n                                  REDACTED PUBLIC VERSION\n\x0c       Recommendation 13:\n\n       The Office of Human Resources, Office of Information Technology (OIT),\n       Office of Administrative Services, and the contracting office should\n       perform, at a minimum, a                 of separated/terminated\n       employees and contractors to ensure that OIT has received all account\n       termination notices and has deactivated the appropriate accounts in a\n       timely manner.\n\n       Management Comments. OHR, OIT and OAS concurred with this\n       recommendation. See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OHR, OIT and OAS concurred with\n       this recommendation.\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                August 11, 2011\nReport No. 497\n                                       Page 31\n                            REDACTED PUBLIC VERSION\n\x0c                                                                         Appendix I\n\n\n                               Abbreviations\n\nADC                     Alternate Data Center\nBDRA                    Broker Dealer Risk Assessment\nBLUE                    Bluesheet Management Systems\nCATS                    Case Activity Tracking System\nCMDB                    Configuration Management Database\nCOOP                    Continuity Of Operations Plan\nCOTR                    Contracting Officer\xe2\x80\x99s Technical Representative\nDR                      Disaster Recovery\nEAUA                    External Application User Authentication\nFACTS                   Filing Activity Tracking System\nFDC1                    Federal Continuity Directive 1\nFISMA                   Federal Information Security Management Act\nFY                      Fiscal Year\nIT                      Information Technology\nNIST                    National Institute of Standards and Technology\nNRSI                    Name Relationship Search Index\nNSAR                    Investment Company Semi-Annual Report\nOAS                     Office of Administrative Services\nOHR                     Office of Human Resources\nOIG                     Office of Inspector General\nOIT                     Office of Information Technology\nOMB                     Office of Management and Budget\nOPC                     SEC Operations Center, Alexandria, Virginia\nPII                     Personally Identifiable Information\nPTS                     Property Tracking System\nSDCAT                   Secure Data Collection Analysis Tool\nSEC or\nCommission              U.S. Securities and Exchange Commission\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                   August 11, 2011\nReport No. 497\n                                       Page 32\n                            REDACTED PUBLIC VERSION\n\x0c                                                                                           Appendix II\n\n\n                           Scope and Methodology\n\nScope. C5i obtained information from OIT and OAS pertaining to the SEC\xe2\x80\x99s\nContinuous Monitoring Program. In addition, C5i interviewed staff members from\nall areas of OIT\xe2\x80\x94End User Technology, Security, Server Group, Disaster\nRecovery Participants, Policy Development\xe2\x80\x94to fully understand the roles and\nresponsibilities of each organization and verify compliance with policies and\nprocedures.\n\nC5i conducted its assessment from November 2010 through January 2011. The\nscope of C5i\xe2\x80\x99s work consisted of reviewing the following areas defined by NIST\n800-53:\n\n     \xe2\x80\xa2   Access Control\n     \xe2\x80\xa2   Awareness and Training\n     \xe2\x80\xa2   Audit and Accountability\n     \xe2\x80\xa2   Security Assessment and Authorization\n     \xe2\x80\xa2   Configuration Management\n     \xe2\x80\xa2   Contingency Planning\n     \xe2\x80\xa2   Identity and Authentication\n     \xe2\x80\xa2   Incident Response\n     \xe2\x80\xa2   Maintenance\n     \xe2\x80\xa2   Media Protection\n     \xe2\x80\xa2   Physical and Environmental Protection\n     \xe2\x80\xa2   Planning\n     \xe2\x80\xa2   Personnel Security\n     \xe2\x80\xa2   Risk Assessment\n     \xe2\x80\xa2   System and Services Acquisition\n     \xe2\x80\xa2   System and Communications Protection\n     \xe2\x80\xa2   System and Information Integrity 73\n\nC5i used the guidance from NIST 800-53; other NIST, OMB, and FISMA\nguidance; and industry best practices in C5i\xe2\x80\x99s evaluation and to support its\nconclusions and recommendations.\n\nBased on the results of our recent annual FISMA assessment, 74 C5i was aware\nof areas on which it wanted to focus as well as processes and procedures that\nneeded to be strengthened or improved. In addition to reviewing the findings\n\n\n\n73\n   NIST 800-53, pp. 2-7, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-\nerrata_05-01-2010.pdf (accessed on Jan. 29, 2011).\n74\n   OIG, 2010 Annual FISMA Executive Summary Report, Report No. 489 (Mar. 6, 2011).\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                        August 11, 2011\nReport No. 497\n                                                Page 33\n                                  REDACTED PUBLIC VERSION\n\x0c                                                                                     Appendix II\n\n\nfrom recent reports, 75 C5i interviewed OIT personnel, reviewed documents\nprovided, and reviewed SEC policies and procedures to find other areas in need\nof improvement. Those areas were as follows:\n\n     \xe2\x80\xa2   Access Control\n     \xe2\x80\xa2   Audit and Accountability\n     \xe2\x80\xa2   Configuration Management\n     \xe2\x80\xa2   Contingency Planning\n     \xe2\x80\xa2   Identity and Authentication\n     \xe2\x80\xa2   Planning\n     \xe2\x80\xa2   System and Services Acquisition\n     \xe2\x80\xa2   System and Communications Protection\n     \xe2\x80\xa2   System and Information Integrity\n\nThe review included an evaluation of the major security components for FISMA\n2010 in order to provide recommended OIG responses to the OMB online\nquestionnaire (i.e., information security and privacy items). C5i also completed\nall data collection instruments related to FISMA 2010 and\n\n     \xe2\x80\xa2   performed the necessary evaluation procedures to answer those\n         questions in OMB Memorandum 10-15,\n     \xe2\x80\xa2   compiled an executive summary for the SEC\xe2\x80\x99s OIG, and\n     \xe2\x80\xa2   performed a detailed security evaluation of two of the SEC\xe2\x80\x99s major\n         security components.\n\nThe scope also included a review of\n\n     \xe2\x80\xa2   test results from disaster recovery exercises,\n     \xe2\x80\xa2   asset management/tracking database,\n     \xe2\x80\xa2   screen captures of logs, and\n     \xe2\x80\xa2   all SEC policies and procedures pertinent to the required areas.\n\nMethodology. To meet the overall objectives of the assessment of the SEC\xe2\x80\x99s\ncontinuous monitoring program, C5i conducted interviews with key personnel,\nmade independent observations, and examined documentation provided by SEC\nofficials. Key personnel included system owners, business line managers, OIT\nrepresentatives, and OIG personnel. These interviews were further held to\ndetermine issues that were germane to completing this assessment. C5i\nreviewed pertinent records and supporting documentation (policies, procedures,\nroles and responsibilities) to address the evaluation objective. C5i\xe2\x80\x99s review of\npolicies and procedures also included discussions with SEC officials and covered\nthe areas identified in the scope.\n\n75\n  OIG, Assessment of SEC\xe2\x80\x99s Privacy Program, Report No. 485 (Sep. 29, 2010), and OIG, 2010 Annual\nFISMA Executive Summary Report, Report No. 489 (Mar. 6, 2011).\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                  August 11, 2011\nReport No. 497\n                                             Page 34\n                                REDACTED PUBLIC VERSION\n\x0c                                                                      Appendix II\n\n\n\nC5i staff members were provided with Certification and Accreditation packages,\nincluding plan of action and milestones, incident response documentation,\npertinent SEC policies and procedures, DR plans, and after-action reports, for\nreview and evaluation to ensure compliance with FISMA, NIST, and OMB\nguidance. C5i also reviewed an extensive collection of system data, policies,\nprocedures, and other documentation relating to the systems and issues\nidentified above. C5i relied on its analysis of all the information provided from\nvarious sources, including testimonial evidence, prior review coverage, and all\ndocumentation provided.\n\nManagement Controls. Consistent with the objectives of the review, C5i did not\nassess OIT\xe2\x80\x99s management control structure or its internal controls. C5i\nevaluated existing controls at the Commission specific to the assessment which\nare detailed above in the scope. C5i relied on information requested and\nsupplied by OIT and interviews with OIT personnel to thoroughly understand\nOIT\xe2\x80\x99s management controls pertaining to policies, methods of operation, and\nprocedures.\n\nUse of Computer-Processed Data. C5i did not assess the reliability of OIT\xe2\x80\x99s\ncomputers because it did not pertain to C5i\xe2\x80\x99s review objectives. Further, C5i did\nnot perform any tests on the general or application controls over OIT\xe2\x80\x99s automated\nsystems, as this was not within the scope of the review. C5i believes that the\ninformation that was retrieved from SEC\xe2\x80\x99s systems, as well as the requested\ndocuments provided to us, was sufficient, reliable, and adequate to use in\nmeeting C5i\xe2\x80\x99s stated objectives. C5i reviewed the following computer-processed\ndata (i.e., Excel spreadsheets and MS Project plans) that OIT staff members\nprovided to us:\n\n   \xe2\x80\xa2   DR test scripts, test results, and after-action report,\n   \xe2\x80\xa2   compliance workbook detailing the status of Certification and Accreditation\n       of SEC systems,\n   \xe2\x80\xa2   screenshots of system logs\n   \xe2\x80\xa2   list of OIT COTR\xe2\x80\x99s, and\n   \xe2\x80\xa2   differences between the SEC production environment and the OIT test\n       environment.\n\nPrior OIG Coverage. The following four prior OIG reports are relevant to this\nreview:\n\n   \xe2\x80\xa2   OIG Report No. 489, 2010 Annual FISMA Executive Summary\n       Report, issued on March 3, 2011, which contained eight\n       recommendation to strengthen the commission\xe2\x80\x99s security posture.\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                   August 11, 2011\nReport No. 497\n                                       Page 35\n                            REDACTED PUBLIC VERSION\n\x0c                                                                        Appendix II\n\n\n   \xe2\x80\xa2   OIG Report No. 485, Assessment of the SEC\xe2\x80\x99s Privacy Program,\n       issued on September 29, 2010, which contained 20\n       recommendations to strengthen and improve the Commission\xe2\x80\x99s\n       security posture for protecting personally identifiable information.\n\n\n   \xe2\x80\xa2   OIG Report No. 476, Evaluation of the SEC Encryption Program,\n       issued on March 26, 2010, which contained three\n       recommendations to strengthen the IT management controls for\n       safeguarding the Commission\xe2\x80\x99s information.\n\n   \xe2\x80\xa2   OIG Report No. 475, Evaluation of the SEC Privacy Program,\n       issued on March 26, 2010, which contained one recommendation\n       to manage and operate the privacy program with appropriate\n       internal controls, privacy controls, and oversight.\n\nJudgmental Sampling. C5i identified a population (universe) of five SEC\ncontractors, employed by C5i, assigned to this assessment to test the adherence\nof help desk staff to the procedures for password reset requests. Each test was\nperformed via telephone\xe2\x80\x94three from SEC offices, one from C5i offices, and one\nfrom a personal cell phone.\n\nC5i personnel sat with OIT personnel to perform a review of logs to verify\nhistorical data. The C5i technician judgmentally requested logs for ad hoc dates,\nwhich were retrieved for the technician in real time.\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                     August 11, 2011\nReport No. 497\n                                       Page 36\n                            REDACTED PUBLIC VERSION\n\x0c                                                                        Appendix III\n\n\n                        Criteria and Guidance\n\nOMB Memorandum M-10-15, FY 2010 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management (April\n21, 2010). Provides instructions for meeting agency FY 2010 reporting\nrequirements under the Federal Information Security Management Act of 2002\n(Title III, Pub. L. No. 107-347). It also includes reporting instructions for agency\nprivacy management programs.\n\nNIST SP 800-34, Contingency Planning Guide for Federal Information Systems,\n(May 2010). Provides guidance on developing and implementing a Contingency\nPlan for information systems.\n\nNIST SP 800-40, Version 2.0, Creating a Patch and Vulnerability Management\nVulnerability (November 2005). This document provides guidance for\nestablishing and maintaining an effective patch and vulnerability management\nprogram.\n\nNIST SP 800-53, Revision 3, Recommended Security Controls for Federal\nInformation Systems and Organizations, Special Publication 800-53, Revision 3\n(Updated May 1, 2010). Provides guidelines for selecting and specifying security\ncontrols for information systems supporting the executive agencies of the federal\ngovernment.\n\nNIST SP 800-86, Guide to Integrating Forensic Techniques Into Incident\nResponse (August 2006). Provides detailed information on establishing a\nforensic capability, including the development of policies and procedures. Its\nfocus is primarily on using forensic techniques to assist with computer security\nincident response, but much of the material is also applicable to other situations.\n\nNIST SP 800-92, Guide to Computer Security Log Management (September\n2006). Provides guidance on the generation, review and retention of computer\nlogs and log data.\n\nNIST SP 800-123, Guide to General Server Security (July 2008). Provides\nguidance for the securing servers deployed on a network.\n\nFederal Information Security Management Act of 2002, (Title III, Pub. L. No.\n107-347, Dec. 17, 2002). Requires each federal agency to develop, document,\nand implement an agency-wide program providing security for the information\nand information systems that support the operations and assets of the agency,\nincluding those provided or managed by another agency, contractor, or other\nsource.\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                      August 11, 2011\nReport No. 497\n                                       Page 37\n                            REDACTED PUBLIC VERSION\n\x0c                                                                     Appendix III\n\n\nE-Government Act of 2002, (Pub. L. No. 107-347) (Dec. 17, 2002). The\npurpose of this act is to improve the management and promotion of electronic\ngovernment services and processes.\n\nFederal Information Processing Standard Publication 199 (FIPS 199),\nStandards for Security Categorization of Federal Information and Information\nSystems (February 2004). Provides guidance on the proper categorization of an\ninformation system based on the security level of the information contained in the\nsystem.\n\nFederal Information Processing Standard Publication 200 (FIPS 200),\nMinimum Security Requirements for Federal Information and Information\nSystems (March 2006). Outlines the minimum security requirements for the\nsecurity of federal information systems.\n\nSEC Policies:\n\n   \xe2\x80\xa2   OIT-00047-001.0, Disaster Recovery Planning Procedures\n       (February 4, 2003)\n   \xe2\x80\xa2   OIT 24-04.09, IT Security Business Continuity Management\n       Program (December 12, 2005)\n   \xe2\x80\xa2   SEC Implementing Instruction 24-04.09.01 (02.0), System Business\n       Impact Analysis (December 12, 2005)\n   \xe2\x80\xa2   OIT-00003-001.0, Disaster Recovery Planning Policy (August 6,\n       2002)\n   \xe2\x80\xa2   SEC Implementing Instruction II 24-04.06.01 (01.1), Identification\n       and Authentication (July 9, 2008)\n   \xe2\x80\xa2   OIT 00015.002.0, Asset Management Procedure (July 8, 2003)\n   \xe2\x80\xa2   OIT-00062-003.0, Procedure for Documenting Permanent and\n       Temporary IT Asset Transactions (March 18, 2003)\n   \xe2\x80\xa2   OIT 41-07-007-001.0, Password Reset Procedures for Remote and\n       LAN Accounts (April 16, 2002)\n   \xe2\x80\xa2   OIT Implementing Instruction 24-05.04.03, Patch Management\n       (December 28, 2005)\n   \xe2\x80\xa2   OIT 24-05.02.04.07, Safeguarding Procedures for Non-Public\n       Backup Media (March 14, 2007)\n   \xe2\x80\xa2   SECR 24-2.6, Enterprise Backup of Electronic Data (May 15, 2003)\n   \xe2\x80\xa2   OD-24-05.09 (01.0), IT Asset Management Program (July 30,\n       2009)\n   \xe2\x80\xa2   OIT-00062-003.0, Procedure for Documenting Permanent and\n       Temporary IT Asset Transactions (March 18, 2003)\n   \xe2\x80\xa2   OP 24-06.04.01.01(01.2), Contractor Entry and Exit (July 18, 2006)\n   \xe2\x80\xa2   Draft OAS Policy, Contractor Personnel Employment Entrance and\n       Exit Procedures\n   \xe2\x80\xa2   OP 24-06.04.01.02.T01, Contractor Entry Form (March 27, 2007)\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                   August 11, 2011\nReport No. 497\n                                       Page 38\n                            REDACTED PUBLIC VERSION\n\x0c                                                                     Appendix III\n\n\n   \xe2\x80\xa2   OP 24-06.04.01.02.T02, Contractor Exit Form (July 18, 2006)\n   \xe2\x80\xa2   OIT OP 24-05.01.02.T01, Request for Account Creation,\n       Modification, Termination, or Transfer (May 23, 2006)\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                August 11, 2011\nReport No. 497\n                                       Page 39\n                            REDACTED PUBLIC VERSION\n\x0c                                                                   Appendix IV\n\n\n                                               for\n                   External and Internal Applications\n\n        Table 4.                                              ,\n\n                                 External Applications\n\n\n\n\n        Source: OIG-generated.\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program          August 11, 2011\nReport No. 497\n                                           Page 40\n                                 REDACTED PUBLIC VERSION\n\x0c                                                                     Appendix IV\n\n\n        Table 5. Internal Applications              During\n               Internal Applications\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program            August 11, 2011\nReport No. 497\n                                           Page 41\n                               REDACTED PUBLIC VERSION\n\x0c                                                                   Appendix IV\n\n               Internal Applications\n\n\n\n\n        Source: OIG-generated.\n\n\n\n\n.\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program          August 11, 2011\nReport No. 497\n                                           Page 42\n                                 REDACTED PUBLIC VERSION\n\x0c                                                       Appendix V\n\n\n                                 Screenshots\n\nFigure 1. Event Logs:\n\n\n\n\nSource: Generated by OIT,\n\nFigure 2. Event Logs: Historical Archives\n\n\n\n\nSource: Generated by OIT,\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program     August 11, 2011\nReport No. 497\n                                       Page 43\n                            REDACTED PUBLIC VERSION\n\x0c                                                       Appendix V\n\n\nFigure 3. Event Logs: Historical Archives\n\n\n\n\nSource: Generated by OIT,\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program     August 11, 2011\nReport No. 497\n                                       Page 44\n                            REDACTED PUBLIC VERSION\n\x0c                                                       Appendix V\n\n\nFigure 4. Active Directory Logs:\n\n\n\n\nSource: Generated by OIT,\n\nFigure 5. Active Directory Logs:\n\n\n\n\nSource: Generated by OIT,\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program     August 11, 2011\nReport No. 497\n                                       Page 45\n                            REDACTED PUBLIC VERSION\n\x0c                                                       Appendix V\n\n\nFigure 6. Active Directory Logs:\n\n\n\n\nSource: Generated by OIT,\n\nFigure 7. Active Directory Logs:\n\n\n\n\nSource: Generated by OIT,\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program     August 11, 2011\nReport No. 497\n                                       Page 46\n                            REDACTED PUBLIC VERSION\n\x0c                                                       Appendix V\n\n\nFigure 8. ADC\n\n\n\n\nSource: Generated by OIT,\n\nFigure 9. ADC\n\n\n\n\nSource: Generated by OIT,\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program     August 11, 2011\nReport No. 497\n                                       Page 47\n                            REDACTED PUBLIC VERSION\n\x0c                                                       Appendix V\n\n\nFigure 10. OPC\n\n\n\n\nSource: Generated by OIT,\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program     August 11, 2011\nReport No. 497\n                                       Page 48\n                            REDACTED PUBLIC VERSION\n\x0c                                                                      Appendix VI\n\n\n                     List of Recommendations\n\nRecommendation 1:\n\nThe Office of Information Technology (OIT) should review the Commission\xe2\x80\x99s\nMicrosoft Active Directory settings and make the necessary changes to ensure\nthat OIT password policy requirements, as documented in the Implementing\nInstruction, are strictly enforced for both on-site and remote users and that the\ndocumented password structure set forth in OIT policy is strictly enforced.\n\nRecommendation 2:\n\nThe Office of Information Technology help desk should begin using a random\npassword generator to create temporary passwords and require users to\n           on their\n\nRecommendation 3:\n\nThe Office of Information Technology (OIT) should implement training for\n           personnel to ensure that           technicians consistently verify\nusers\xe2\x80\x99 information in accordance with OIT policy when they receive requests to\nchange user accounts and passwords.\n\nRecommendation 4:\n\nThe Office of Information Technology should ensure that security controls\nconfigurations that are applied in the production environment are identical with\nthose applied in the testing environment.\n\nRecommendation 5:\n\nThe Office of Information Technology should develop and implement written\nprocedures to ensure consistency in the Commission\xe2\x80\x99s production and testing\nenvironments. These procedures should detail the software and hardware\ncomponents in both environments and specify the actions required to maintain\nconsistent environments.\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                    August 11, 2011\nReport No. 497\n                                       Page 49\n                            REDACTED PUBLIC VERSION\n\x0c                                                                       Appendix VI\n\n\nRecommendation 6:\n\nThe Office of Information Technology should complete and finalize written server\nand storage log management policies and procedures that fully document the\nroles and responsibilities for log capture, management, retention and separation\nof duties.\n\nRecommendation 7:\n\nThe Office of Information Technology should require that the\nand the                           have consistent, appropriately installed\napplication and system configuration files to ensure the ability to successfully\nfailover and/or restore in the event of a disaster.\n\nRecommendation 8:\n\nThe Office of Information Technology should fully document and communicate\nthe criteria used to determine the success or failure of an application during the\nDisaster Recovery tests to ensure consistent reporting of results and alleviate\nconfusion.\n\nRecommendation 9:\n\nThe Office of Information Technology should analyze the level of criticality of the\nCommission data being              , and the needs and wants of its customers,\nand establish an appropriate backup retention period based on the results of that\nanalysis and that meets the requirements of the Commission.\n\nRecommendation 10:\n\nThe Office of Information Technology should ensure that                   from the\nCommission\xe2\x80\x99s                     are sent to an\n\nRecommendation 11:\n\nThe Office of Administrative Services should work with the Office of Information\nTechnology to develop and implement a comprehensive Commission\xe2\x80\x93wide\npolicy for the Entry and Exit of Contractors.\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                     August 11, 2011\nReport No. 497\n                                       Page 50\n                            REDACTED PUBLIC VERSION\n\x0c                                                                      Appendix VI\n\n\nRecommendation 12:\n\nAfter the Office of Administrative Services (OAS) contractor entry and exit policy,\nContractor Personnel Employment Entrance and Exit Procedures, has been\nfinalized and approved, OAS should provide training and communicate with\nresponsible parties, such as Contracting Officers, Contracting Officer\xe2\x80\x99s Technical\nRepresentatives, and Inspection and Acceptance Officials, regarding their roles\nand responsibilities and proper procedures with respect to contractor entry into\nand exit from the Commission.\n\nRecommendation 13:\n\nThe Office of Human Resources, Office of Information Technology (OIT), Office\nof Administrative Services, and the contracting office should perform, at a\nminimum, a                  of separated/terminated employees and contractors\nto ensure that OIT has received all account termination notices and has\ndeactivated the appropriate accounts in a timely manner.\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                    August 11, 2011\nReport No. 497\n                                       Page 51\n                            REDACTED PUBLIC VERSION\n\x0c                                                                                              Appendix VII\n\n\n                                Management\xe2\x80\x99s Comments\n\n\n\n\n                                                 MEMORANDUM\n\n\n                                                                                      July 26, 2011\n\nTO:               H. David KOIZ, Inspecior General\n                  Office of Inspector General (OIG)\n\n\n                  Jacqueline \\Vilson, Assistant Inspeelor General for Audit\xef\xbf\xbd\n                  Office of Inspector General\n\n\nFROM:             Thomas A. Bayer, Chief Information Offic         J ..11-\n                                                                         ._.\xe2\x80\xa2\n\n                  Office of Information Technology (OIT)          /\\\\)JvP .\nSUBJECT:          OIT"s Response to II"" 010 Dntfl. Repurt Nu. 497, AS\'ses\'s\'menf L!f"SEC\'s\n                  ContiflllouS Moniforing Program\n\n\nThis memorandum is in response to the Office of Inspector General Draft Report No. 497,\nAssessment L!fSEC"s COn/inllous Moniloring Program. Thank you for the opportunity 10 review\nand respond to this report.\n\n\nRecO""lIelldalioll .I\nThe Office ofbiformalion Technology (OIT) shollid review {he SEC\'s !lIlicrosoi\n                                                                             j Active DireclolY\nsellings ond make Ihe necessalY changes 10 ensure thaI OIT password poli<.Y requiremenlS. as\ndocumenled in Ihe implementing 111.\\\xc2\xb7/r/lcli011. are strictly el1!orcedfor both on-site and remole\nusers and Ihal Ihe documented password slructllre selforth in OIT policy is slriclly et!/in\xc2\xb7ced..\n\n\norr concurs with this recc;l1lunendation and has taken steps to corTect the issues.\n\n\n\n        ;",;";!,\xef\xbf\xbd!;J.\';;:\xef\xbf\xbd"c"   ;o,, Technology help desk sholl!d begin lIsillg   0   random password\ngC!l1erulor 10 creale lempormy passwords and require lIsers 10                                on Iheir_\n\n\n\nOIT concurs with this recommendation; documentation and policy are rorthcoming to\ncompletely correct the issue.\n\n\n\n                                                (OIT) should implel1lenl \'rainin\n                                                                               g for     \xef\xbf\xbdlIIlIIlIIlIIlII.\npersonnel 10 ensure               lechnicians consiSlenlly verifY IIser.\xef\xbf\xbd . inforll/alion in\naccordaflce wilh OIT policy when (hey receive reqlles(.\xef\xbf\xbd\xc2\xb7 10 change user accounts and passwords.\n\n\norr concurs with lhis recommendation; doculllcntation and policy are forthcoming to\ncompletely correct the issue.\n\n\nReco,,,,,,e,,datiolt "\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                             August 11, 2011\nReport No. 497\n                                                     Page 52\n                                        REDACTED PUBLIC VERSION\n\x0c                                                                                    Appendix VII\n\n\n\n\nThe Office of Iriformation Technology should ensure that security controls configurations that\nare applied in the production environment are identical with those applied in the testing\nenvironment.\n\nOIT concurs with this recommendation.\n\n\n\nRecommendation 5\nThe Office of Information Technology should develop and implement written procedures to\nensure configuration consistency in the Commission\'s production and testing environments.\nThese procedures should detail the software and hardware components in both environments\nand specify the actions required to maintain consistent environments.\n\nOIT concurs with this recommendation.\n\n\nRecommendation 6\nThe Of\n     f ice of Information Technology should complete and finalize written server and storage\nlog management policies and procedures thatfolly document roles and responsibilities for log\ncapture, management, retention and separation of duties.\n\nOIT concurs with this recommendation.\n\n\nCurrently, all SEC systems send their system security logs to an independent OIT Security log\naggregation system. OIT Security staff and contractors have the ability to programmatically\nreview and alert on security events independent of the event source. The OIT Security event\naggregation system enforces the separation of incompatible duties. OIT agrees that\ndocumentation needs to be updated to reflect our desired log management practices and\nseparation of duties within our Servers and Storage Branch.\n\n\n\n     ffice o_rmation Technology should require that the \xef\xbf\xbdnd the\nRecommendation 7\nThe O\n                           have consistent, appropriately installed application and system\ncorifiguration files to ensure the ability to successfully failover and/or restore in the event of a\ndisaster.\n\nOIT concurs with this recommendation and has taken steps to develop and implement procedures\nthat will routinely verify system fail over configuration\n\nRecommendation 8\nThe Office of Information Technology should folly document and communicate the criteria used\nto determine the success or failure of an application during the DR tests to ensure consistent\nreporting of results and alleviate confosion.\n\nOIT concurs with this recommendation and has taken the actions to comply with the\nrecommendation.\n\nRecommendation 9\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                   August 11, 2011\nReport No. 497\n                                             Page 53\n                                REDACTED PUBLIC VERSION\n\x0c                                                                                 Appendix VII\n\n\n\n\n\xef\xbf\xbd of Information Technology should analyze the level of criticality of SEC data being\n_ and the needs and wants of its customers, and establish an appropriate backup\nretention period based on the results of that analysis and that meets the requirements of the\nCommission.\n\nOIT concurs with this recommendation and has developed investment plan to comply with this\nrecommendation,\n\n\nRecommendation 10\nI!:!!.2Jli ce oflnforma\xef\xbf\xbdd ensure that\xef\xbf\xbdom the SEC _\n\xef\xbf\xbdre sent to an _\nOIT concurs with this recommendation.\n\n\nRecommendation 11\nThe Office of Administrative Services should work with the Office of Information Technology to\ndevelop and implement a comprehensive Commission-wide policy for the Entry and Exit of\nContractors.\n\nOIT concurs with this recommendation and will provide assistance to OAS to implement this\nCommission-wide policy.\n\n\nRecommendation 13\nThe Office of Human Resources, Office of Information Technology (OIT), Office of\nAdministrative Services, and the contracting office should perform, at a minimum, a  _\n_    of separatedlterminated employees and contractors to ensure that OIT has received all\naccount termination notices and has deactivated the appropriate accounts in a timely manner.\n\nOIT concurs with this recommendation.\n\n\n\n\n Assessment of SEC\xe2\x80\x99s Continuous Monitoring Program                               August 11, 2011\n Report No. 497\n                                            Page 54\n                               REDACTED PUBLIC VERSION\n\x0c                                                                                    Appendix VII\n\n\n\n\n                                          MEMORANDUM\n\n\n\n\n To:      H. David Kotz\n          Inspector General .\n          Office of Inspector General\n\n\n From:    Jayne L. Seidman          \xef\xbf\xbd\xc2\xad\n          Acting Associate Executiv .{bi;t:tor\n          Office of Administrative Services\n\n\n Date:    August 8, 20II\n\n\n Subject: Response to Draft Report #497, "Assessment of SEC\'s Continuous Monitoring\n          Program"\n\n\n\nI appreciate the opportunity to review and provide formal comments on the OIG\'s draft report.\n\n\nRecommendation 11: OAS should work with the OIT to develop and implement a comprehensive\nCommission-wide policy for the Entry and Exit of Contractors.\n\nOAS concurs. OAS will implement an agency-wide policy for entry and exit of contractors. The\npolicy will establish the roles and responsibilities of administrative officers, COTRs, and\ncontractor points of contact, and include references to other pertinent policies and procedures.\n\nRecommendation 12: After the OAS contractor entry and exit policy, Contractor Personnel\nEmployment Entrance and Exit Procedures, has been finalized and approved, OAS should provide\ntraining and communicate with responsible parties, such as Contracting Officers, Contracting\nOfficer\'s Technical Representatives, and Inspection and Acceptance Officials, regarding their roles\nand responsibilities and proper procedures with respect to contractor entry into and exit from the\nCommission.\n\nOAS concurs. OAS will facilitate training on the agency-wide policy on entry and exit of\ncontractor employees, and communicate with responsible parties regarding their roles and\nresponsibilities and proper procedures.\n\nRecommendation 13: OHR, OIT, OAS, and the contracting office should perform, at a minimum, a\n\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2!I of separated/terminated employees        and contractors to ensure that OIT has received all\naccount termination notices and has deactivated the appropriate accounts in a timely manner.\n\nOAS concurs with respect to contractor staff. OAS will support OIT\'s audit for the specific roles\nidentified and assigned to OAS in the policy.\n\n\n\n\n Assessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                  August 11, 2011\n Report No. 497\n                                              Page 55\n                                 REDACTED PUBLIC VERSION\n\x0c                                                                                         Appendix VII\n\n\n\n\n                                             MEMORANDUM\n\n                                                August 5, 2011\n\n\n\n\nTO:                H. David Kotz\n                   Inspector General\n\nFROM:             .&"c,<;stin C. Fair   :5..\xef\xbf\xbd:.\xef\xbf\xbd\n                   Acting Associate Executive Director\n                    Office of Hwnan Resources\n\nSUBJECT:            OHR Management Response to Draft Report No. 497, Assessment ofSEC\'s Continuous\n                   Monitoring Program\n\n\n\nThis memorandum is in response to the Office of Inspector General\'s Draft Report No. 497, Assessment of\nSEC\'s Continuous Monitoring Program. Thank you for the. opportunity to review and respond to this\nreport. We concur with the reconunendation presented in the report for which OHR. has joint\nresponsibility.\n\n\nRecommendation 13:\n\nOHR. n request, OHR. will provide a report of separated/tenninated employees to aIT for\n    \xef\xbf\xbd\ntbis_\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                                        August 11, 2011\nReport No. 497\n                                                   Page 56\n                                        REDACTED PUBLIC VERSION\n\x0c                                                                      Appendix VIII\n\n\n     OIG Response to Management\xe2\x80\x99s Comments\n\nWe are pleased that OIT, OAS, OHR concurred with all 13 recommendations\naddressed to their respective offices. We are also encouraged that OIT, OAS,\nand OHR indicated they will work together to implement the recommendations\nthat were addressed jointly to their offices.\n\nOIT indicated that it has already taken steps to implement several of the\nrecommendations. Further, OAS has indicated that it will implement an agency-\nwide policy for entry and exit of contractors, facilitate training on the agency-wide\npolicy for entry and exit of contractors after the policy has been finalized and\napproved, and will provide support to OIT for the                     of\nseparated/terminated employees and contractors. Additionally, OHR indicated it\nwill provide a report of separated/terminated employees to OIT for the\n       as well. We believe OIT, OAS, and OHR\xe2\x80\x99s proposed actions are responsive\nto the report\xe2\x80\x99s findings and recommendations.\n\nWe believe the swift implementation of all these important recommendations will\nsignificantly improve the SEC\xe2\x80\x99s continuous monitoring program, which is vital to\nhelping the SEC track the security state of its information systems in a highly\ndynamic operating environment with changing threats, vulnerabilities,\ntechnologies, and missions and business processes.\n\n\n\n\nAssessment of SEC\xe2\x80\x99s Continuous Monitoring Program                      August 11, 2011\nReport No. 497\n                                       Page 57\n                            REDACTED PUBLIC VERSION\n\x0c                     Audit Requests and Ideas\nThe Office of Inspector General welcomes your input. If you would like to\nrequest an audit in the future or have an audit idea, please contact us at\n\nU.S. Securities and Exchange Commission\nOffice of Inspector General\nAttn: Assistant Inspector General, Audits (Audit Request/Idea)\n100 F Street, N.E.\nWashington D.C. 20549-2736\n\nTelephone: 202-551-6061\nFax:       202-772-9265\nE-mail:    oig@sec.gov\n\n\n\n\n      Hotline\n      To report fraud, waste, abuse, and mismanagement at the SEC,\n      contact the Office of Inspector General at\n\n      Telephone: 877.442.0854\n\n      Web-Based Hotline Complaint Form:\n      www.reportlineweb.com/sec_oig\n\x0c'